Fewer victims are choosing to pay their ransomware extorters, especially among large enterprises, according to a recent investigation from Coveware. As a result of this, and other circumstances, we can see some shifts in the way that ransomware groups and their affiliates work.
An encouraging trend among large organizations is that they refuse to consider negotiations when ransomware groups demand impossibly high ransom amounts. As a result, the threat actors are responding by shifting their focus to the mid-market. That may explain why the median cost of ransom payments fell by 51 percent from the previous quarter, down to $36,300.
A contributing factor to the drop in payments is also the fact that some countries and states are banning municipal organizations from paying ransoms. Sanctions against Russia resulted in a decline of ransomware attacks and payments, but ransomware groups have taken measures to make attribution and branding harder. Groups like Conti were absorbed by existing and new Ransomware-as-a-Service (RaaS) groups such as Black Basta, BlackCat, Hive, and Quantum.
Law enforcement cracking down on ransomware has created the necessity for ransomware groups to use a more flexible infrastructure and be more vigilant when accepting new affiliates. We’ve also seen how law enforcement was able to recover some major ransom payments in recent years—a feat that, until recently, was nearly impossible or at least unheard of. This could be another reason for ransomware groups shifting to a larger quantity of smaller victims—when they attack large enterprises, they attract the attention of law enforcement and at least sometimes lose out on their ill-gotten gains.
Meanwhile, insurance companies are expecting the rise in premiums to continue. Their main problem is the inability to assess the cybersecurity level of their customers. A new market is developing where insurers will offer a reduction on pricing if you provide a quarterly report through a specific security platform, because they know it’s a good product that helps to improve cyberhygiene.
Data theft and extortion
The more advanced ransomware groups are already trying to extract as high a ransom as possible by using data extortion and leak sites as a means to increase the pressure on organizations. This sites publicly announce which companies have been hit by a ransomware group should the organization refuse to pay the ransom, tarnishing the company's reputation and also threatening to publish its sensitive data online. More ransomware groups can be expected to use the tactics of extortion, shaming, and data leaks to convince their victims to pay.
With the shift from large botnets as the initial foothold to targeted attacks, the affiliates can not only be more picky when it comes to their victims, some can also choose between RaaS providers or decide to proceed on their own. On the defense side this means we have to be ready for an increase in possible attack vectors as we can expect affiliates to specialize in exploiting certain vulnerabilities.
Another change in tactics is to increase the number of possible targets. Almost every RaaS variant has stable Windows, Linux and ESXI versions and as such are able to target every server, regardless of the operating system.
Branding used to be an important factor for ransomware groups. A strong brand could carry a reputation for effectively decrypting the files of victims that paid, and operating a leak site that punished non-paying victims. But brands make attribution easier, and all it takes is one high profile attack on a pipeline or hospital to foul the brand and draw geopolitical or law enforcement attention.
As a result, RaaS groups are keeping a lower profile and vetting both affiliates and their victims more thoroughly. That means affiliates are increasingly required to handle initial access, stolen data storage, and negotiations alone, which is likely to reduce their profits.
Not going away
Unfortunately there are no signs that ransomware is going away. But fewer and smaller payments will certainly reduce the damage it is doing. And the reduction of payments will bring down the investments of RaaS groups in development and infrastructure, as well as the desire for affiliates to become increasingly independent.
If you haven’t already, put up a fight against ransomware.
Stay safe, everyone!