Ransomware payments are declining as more victims refuse to pay
Coveware data shows that the average payment decreased by 34% to £112,800 in the fourth quarter of 2020
The average ransom payment to hackers decreased by more than a third in the fourth quarter of 2020 as more victims opted not to pay up.
Coveware’s data, gathered from ransomware incidents the company helped companies respond to in Q4 2020, showed that average ransomware payments decreased by 34% to $154,000 (around £112,800) while median payments dropped 55% from $110,532 (£81,000) to $49,450 (£36,000) over the same period.
The findings indicate a reversal of a trend that saw average ransom payments steadily increase since at least Q4 2018. There was even an increase between the first and third quarter of last year, with average payments increasing from $111,605 (£81,000) to $233,817 (£171,000).
Coveware’s data also showed that fewer organisations gave in to cyber extortion demands if they had a chance to recover data from backups during the final quarter of 2020. Although seven in ten of the ransomware attacks responded to last quarter involved data exfiltration and the use of stolen data as leverage to try and force victims to pay, Coveware noted that victims are beginning to realise that doing so is unlikely to prevent the release of stolen data.
Around 60% of ransomware victims opted to pay in Q4, according to the findings, compared with almost 75% in the previous quarter, and Coveware noted that it continues to witness signs that stolen data is not deleted or purged after payment.
The total economic impact of IBM Security Verify
Cost savings and business benefits enabled by IBM Security VerifyDownload now
"Moreover, we are seeing groups take measures to fabricate data exfiltration in cases where it did not occur," the security firm said. "These tricks and tactics put a premium on ensuring that threats are thoroughly validated."
This is the first quarter since Coveware has been tracking data that RDP compromise has not been the primary attack vector. The company said that malware such as Trickbot and Emotet favour widespread phishing campaigns as their primary delivery mechanism.
"Unlike ransomware malware, these threats possess worming capabilities that allow them to stealthily proliferate through a high volume of enterprise networks," Coveware commented. "There they lay down secure footholds that are sold further down the supply chain to ransomware actors. We expect a reshuffling of attack vectors to occur in the wake of the Emotet takedown."
Modern governance: The how-to guide
Equipping organisations with the right tools for business resilienceFree Download
Cloud operational excellence
Everything you need to know about optimising your cloud operationsWatch now
A buyer’s guide to board management software
Improve your board’s performance
The real world business value of Oracle autonomous data warehouse
Lead with a 417% five-year ROIDownload now