from the you-made-me-an-offer-I-could-refuse dept.
Ransomware Profits Decline as Victims Dig In, Refuse to Pay
In another sign that the tide may be finally turning against ransomware actors, ransom payments declined substantially in 2022 as more victims refused to pay their attackers — for a variety of reasons.
If the trend continues, analysts expect ransomware actors will start demanding bigger ransoms from larger victims to try and compensate for falling revenues, while also increasingly going after smaller targets that are more likely to pay (but which represent potentially smaller payoffs).
"Our findings suggest that a combination of factors and best practices — such as security preparedness, sanctions, more stringent insurance policies, and the continued work of researchers — are effective in curbing payments," says Jackie Koven, head of cyber-threat intelligence at Chainanalysis.
[...] "Enterprise organizations investing in cybersecurity defenses and ransomware preparedness are making a difference in the ransomware landscape," Koven says. "As more organizations are prepared, fewer need to pay ransoms, ultimately disincentivizing ransomware cybercriminals."
[...] Bill Siegel, CEO and co-founder of Coveware, says that insurance companies have influenced proactive enterprise security and incident response preparedness in a positive manner in recent years. After cyber-insurance firms sustained substantial losses in 2019 and 2020, many have tightened their underwriting and renewal terms and now require insured entities to have minimum standards like MFA, backups, and incident response training.
[...] "As the expected profitability of a given ransomware attack declines for cybercriminals, they have attempted to compensate by adjusting their own tactics," Coveware said. "Threat actors are moving slightly up the market to try and justify larger initial demands in the hopes that they result in large ransom payments, even as their own success rate declines."
Another sign is that many ransomware operators began re-extorting victims after extracting money from them the first time, Coveware said. Re-extortion has traditionally been a tactic reserved for small business victims. But in 2022, groups that have traditionally targeted mid- to large-size companies began employing the tactic as well, likely as a result of financial pressures, Coveware said.
Ransomware Victims are Finally Refusing to Pay Up
[...] Ransomware victims have realized that even if they pay the ransom, there's no guarantee they will get their data back or that the ransomware actor will delete the "stolen" files without selling them to third parties on the dark web. The public perception of the ransomware phenomenon has matured as well, so data leaks don't carry the same risks for brand reputation of the last few years.
[...] Even though the victims are not paying as much as before, the ransomware business is anything but dead: in 2022, the average lifespan of file encrypting-malware strains has dropped from 153 days to just 70 days year-over-year. The "Conti" ransomware operation came to an end while other ransomware-as-a-service (raas) operations went live, including Royal, Play, and BlackBasta. LockBit, Hive, Cuba, BlackCat, and Ragna were still in business (and still asking for ransom payments) at the end of 2022.