Average Ransom Payment Dropped by 34% in Q1, 2022

Share this article on:

The average ransom payment in ransomware attacks fell by 34% in Q1, 2022, from an all-time high in Q4, 2021, according to ransomware incident response firm Coveware. The average ransom payment in Q1, 2022 was $211,259 and the median ransom payment was $73,906.

The fall in total ransom payments has been attributed to several factors. Coveware suggests ransomware gangs have been targeting smaller organizations and issuing lower ransom demands, due to the increased scrutiny by law enforcement when attacks are conducted on large enterprises. The median company size has been falling since Q4, 2020, and is now companies with around 160 employees. This appears to be the sweet spot, where the companies have sufficient revenues to allow sizable ransoms to be paid, but not so large that attacks will result in considerable scrutiny by law enforcement.

Another reason why total ransom payments have fallen is fewer victims of ransomware attacks have been paying the ransom. The number of victims of ransomware attacks that pay the ransom has been steadily declining, from 85% of victims in Q1 2019 to 46% of victims in Q1, 2022. Also, some of the most prolific ransomware operations have gone quiet, such as Maze and REvil (Sodinokibi).

Conti and LockBit are the most prolific ransomware operations, accounting for 16.1% and 14.9% of ransomware attacks respectively, followed by BlackCat/Alphv (7.1%), Hive (5.4%), and AvosLocker (4.8%). Coveware suggests that the affiliates who work with ransomware-as-a-service operations appear to be less keen to work with large RaaS groups, as those groups are often targeted by law enforcement. It is now common for affiliates to try smaller RaaS operations or even develop their own ransomware variants from leaked source code.

The most common attack vectors in ransomware attacks are phishing, Remote Desktop Protocol connections, and exploiting unpatched vulnerabilities in software and operating systems. Coveware has tracked an increase in other attack vectors since Q2, 2021, such as social engineering and the direct compromising of insiders. Social engineering attacks are similar to phishing but are highly targeted and often involve priming or grooming targeted employees before convincing them to provide access to the network. There has also been an increase in lone wolf attackers. Coveware identified the trend in late 2021, and it has continued throughout Q1, 2022. Attacks by these threat actors are often conducted on companies that have far better security than the average ransomware victim, such as multi-factor authentication properly enabled for all employees and critical resources.

In late 2019, the Maze ransomware operation started using double extortion tactics, where data is stolen from victims before files are encrypted. Payment must then be made for the decryptor and to prevent the publication or sale of stolen data. These tactics were rapidly adopted by many ransomware operations and became the norm, although there was a decline in attacks involving encryption and extortion in Q1, 2022. Double extortion was used in 84% of attacks in Q4, 2021, and 77% of attacks in Q1, 2022. While double extortion is likely to continue to be extensively used in attacks for the foreseeable future, Coveware expects the shift from data encryption to data extortion to continue, as data theft and naming and shaming victims are less likely to attract the attention of law enforcement. “Data theft without encryption results in no operational disruption but preserves the ability of the threat actor to extort the victim. We expect this shift from Big Game Hunting to Big Shame Hunting to continue,” explained Coveware in the report.

Coveware warned about paying the ransom to prevent the publication or sale of data, as there are no guarantees that payment will result in data deletion. In 63% of attacks where a ransom was paid to prevent publication or sale of stolen data, the attackers provided no proof of data deletion. In the remaining attacks where proof was provided, it could easily have been faked. When videos, screenshots, live screen shares, or deletion logs are provided as proof, victims must trust that a copy of the data has not been made. “In one notable case, we observed a threat actor explicitly state that they would not be deleting the stolen data if paid, and would keep it for future leverage against the victim,” said Coveware.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On