Ransomware Profits Dip as Fewer Victims Pay ExtortionAs Funding From Ransoms Goes Down, Gangs Embrace Re-Extortion, Researchers Warn
Bad news for ransomware groups: Experts find that earning an extortionate crypto-locking payday is getting harder as the world fortifies against the onslaught of criminal malware.
The bad guys can blame more would-be victims getting robust defenses in place, including well-rehearsed incident response plans, which make executing a successful attack harder. Also, law enforcement agencies mobilize earlier to assist victims, and by doing so they're learning better how attackers work and where they might strike next. Such intelligence is key to deterring future attacks.
Here's one sign of the impact of such changes: While 79% of victims paid a ransom in 2019, in 2022 only 41% of victims paid, reports ransomware incident response firm Coveware. That's despite the number of successful ransomware attacks appearing to remain constant.
Another sign: Fewer funds appear to be flowing to ransomware-wielding groups and affiliates, who are predominantly based in or around Russia. Based on currently available data, "2022's total ransomware revenue fell to at least $456.8 million in 2022 from $765.6 million in 2021 - a huge drop of 40.3%," reports blockchain intelligence firm Chainalysis.
Unfortunately, ransomware groups have a proven history of innovating when market conditions get tough. Coveware says attackers facing "financial strain" last quarter collectively focused more on hitting slightly larger organizations in pursuit of bigger ransom payments. So while fewer victims paid, from the third quarter to the fourth, the average ransom payment increased by 58% to $408,644, and the median payment increased by 342% to $185,972, based on thousands of cases Coveware helped investigate.
Supply and Demand
As the supply of victims willing to pay a ransom decreases, demand for these victims by ransomware groups appears to have been increasing, leading to higher operating costs and lower revenues, and apparently driving criminals to use more desperate tactics.
"Ransomware actors are first and foremost driven by economics, and when the economics are dire enough, they will stoop to levels of deception and duplicity to recoup their losses," Coveware says.
While there's no honor among thieves, some groups at least have a track record of doing what they promised and providing a decryptor when a victim paid.
Now, many attackers aren't honoring their promises, and attempts to re-extort victims are surging, Coveware says. That isn't a reference to double extortion, which means criminals charging one ransom for a decryptor and another for a promise to not leak data or to remove a victim from its data leak site. Re-extortion refers to a ransomware group demanding and receiving a ransom for an agreed result and then demanding the victim pay again - and again - for what it has already paid for.
But last year, more tightly held ransomware-as-a-service groups that primarily pursue midsize and large victims - including BlackByte, Hive, Quantum, Snatch and Vice Society - increasingly began re-extorting victims too, it says.
By acting unreliably, these groups appear to be shooting themselves in the foot. Who wants to pay a group of extortionists that has a history of failing to honor its promises?
Organizations collectively are getting better defenses in place and support when attackers do get through.
Law enforcement also seems to be having a positive impact on keeping victims from paying - not by prohibiting payments, but by helping victims, and also by helping others keep from falling victim. In particular, the FBI "subtly but effectively shifted strategy from pursuing just arrests to putting a focus on helping victims, and imposing costs to the economic levers that make cybercrime so profitable," Coveware says.
FBI officials say they're continuing to augment the bureau's ability to help victims, including for complex intrusions such as ransomware. "We can put a cyber-trained FBI agent on nearly any doorstep in this country within one hour, and we can accomplish the same in more than 70 countries in one day through our network of legal attaches and cyber assistant legal attaches," Bryan A. Vorndran, assistant director of the FBI's Cyber Division, testified before the House Judiciary Committee last year.
He added that this approach both "supports victims and allows us to learn how our adversaries operate - and who they might target next," and said this intelligence is shared with the Cybersecurity and Infrastructure Security Agency and other partners.
The chief executive of Kaseya, which develops management software used by managed service providers and which fell victim to REvil - aka Sodinokibi - ransomware in July 2021, says contacting the FBI "30 seconds into our incident" was key to his company's recovery.
"When we were hit, our playbook had as a standard process - luckily - to call the FBI the second something seemed suspicious. And we did just that," Kaseya CEO Fred Voccola wrote in a blog post last year about lessons learned from the attack. "To this day, it was the single best decision that I, as the CEO, and we as a company, made."
Of course, ransomware attacks continue, and as fewer victims pay, criminals might get more desperate in the tactics they employ, thus increasing the disruption and damage facing future individual victims.
The FBI says the best way for organizations to help themselves includes staying abreast of their ransomware intelligence reports and getting to know their local FBI field office - or other appropriate law enforcement agency - so they can contact it quickly in the event of an attack.
Another essential is to have solid, well-practiced incident response plans in place (see: Incident Response: Best Practices in the Age of Ransomware).
"Having worked with victims who had incident response plans versus those who did not, the difference is stark," the FBI's Vorndran told Congress. "Victims with incident response plans are often able to respond faster and more efficiently and can significantly limit the damage caused by a ransomware incident."
As ever with ransomware, the guiding mantra remains: Prepare now, or expect to pay more later.