Ransom Payment Data Suggests More Victims are Choosing Not to Pay

The average payment to ransomware gangs increased in Q2, 2022; however, there was a fall in the median payment for the second successive quarter, indicating more victims of ransomware attacks are choosing not to pay up. The data comes from the latest quarterly report from the ransomware remediation firm, Coveware. The average ransom payment in Q2, 2022 was $228,125, which is an 8% increase from the previous quarter. The median ransom payment was $36,360, which is a 51% decrease from Q1, 2022.

According to Coveware, the recent fall in payments indicates the changing profile of attacked companies, with ransomware gangs now tending to focus on attacking mid-market companies. Attacks on large enterprises are costly due to their large budgets for cybersecurity but the potential returns are greater. While ransomware attacks on mid-market firms mean the ransom demands must be smaller, the risks associated with attacks are also lower. Mid-market firms appear to be the sweet spot. The profits are sufficiently high to make the attacks worthwhile, and the ransomware gangs are less likely to face geopolitical pressure and action by law enforcement. Coveware also notes that a trend has been identified where large enterprises are refusing to even engage with ransomware gangs if their initial ransom demand is too large.

When ransomware gangs started exfiltrating data prior to encrypting files the percentage of victims paying ransoms increased, as many victims chose to pay even if they had backups to prevent the sale or public disclosure of the stolen data. In Q2, 2022, 86% of ransomware attacks involved data theft and a threat to release the stolen data publicly. While the payment of the ransom is needed to prevent the publication of stolen data, Coveware notes that it has seen growing evidence that ransomware gangs are not making good on their promise to delete the data, which means the ransom payment was unnecessary.

If a ransomware attack involves data theft, Coveware says payment of the ransom does not mitigate the risk of harm, nor any liability the victim has to protect impacted parties. While some victims might view payment of the ransom as a way to protect against future class action lawsuits, “Paying a ransom is not going to thwart a meritless lawsuit, and there has been no case law to suggest that the risk of a suit happening, or the resulting settlements or damages are mitigated by paying a ransom,” said Coveware. Coveware also suggests that paying the ransom does not limit brand damage, nor does it show that a company has done everything to protect customers or clients. “A far better narrative is to be candid, honest, and contrite. Your impacted constituents will understand that this happens, and will appreciate the transparency.”

Please see the HIPAA Journal Privacy Policy

Q2, 2022 saw a change in the ransomware landscape following the shutdown of the Conti ransomware operation, which instead is working with smaller ransomware operations. Ransomware attacks are now spread out much more broadly across several smaller operations, with BlackCat having a market share of 16.9%, followed by LockBit 2.0 with 13.2%, Hive with 6.3%, and Quantum, Conti V2, Phobos, Black Basta, and AvosLocker, which each have a market share of around 5%. There appears to be a trend where RaaS affiliates are choosing to spread their attacks across multiple ransomware brands.

As was the case in Q1, 2022, the most popular attack vector is still email phishing, although RDP compromise remains popular. The exploitation of software vulnerabilities and other attack vectors are still used, and Coveware suggests that affiliates are not limiting themselves to one attack vector.

In Q2, 2022, professional services was the most attacked sector, accounting for 21.9% of attacks, followed by the public sector (14.4%), healthcare (10%), and software services (9.4%). There was a slight increase in the number of attacks on healthcare organizations, which is largely due to the Hive ransomware gang expanding its operations. The Hive ransomware gang has no qualms about conducting attacks on the healthcare sector.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.