Saturday, May 25, 2024

Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members aiming to undermine affiliate confidence.

In response, LockBit publicly exposed an affiliate payment dispute, potentially causing further affiliate migration. 

The behavior of a major RaaS group is puzzling, as the financial loss from the dispute seems insignificant compared to the reputational damage. 

The disappearance of RaaS groups like BlackCat disrupts ransomware affiliates, forcing them to decide their next steps.

Some may exit cybercrime entirely, while others may choose to go independent by leveraging leaked ransomware builders like Conti’s to develop their operations. 

Due to previous actions from organizations like REvil, which highlight a potential long-term trend of instability within the RaaS ecosystem, more people might continue to use the RaaS model despite the risk of developers cheating them. 

Q1 2024 saw a 32% drop in average ransom payments compared to Q4 2023, reaching $381,980.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

Conversely, the median ransom payment rose 25% to $250,000, suggesting a shift in attacker tactics.

There was a decline in high-value targets paying ransoms and a rise in attackers targeting smaller organizations with more moderate demands to maintain negotiation leverage. 

Ransom Payments by Quarter

Ransomware payments hit a record low in Q1 2024, with only 28% of victims choosing to pay, which suggests that organizations are improving their resilience, potentially due to improved backup and recovery strategies. 

The trend of attackers continuing to leak data even after receiving payment discourages victims from paying.

This lack of trust, combined with evidence of previously paid-for data resurfacing, strengthens the case against ransomware payments. 

All Ransomware Payment Resolution Rates

According to Coverware, Akira remained the most prevalent ransomware variant in Q1 2024, as law enforcement disruptions and declining trust in LockBit and BlackCat caused a rise in alternative strains. 

Black Basta, a re-emerging threat, joined the top ranks alongside newcomers like BlackSuit and Rhysida, indicating a shift in RaaS (Ransomware-as-a-Service) affiliations, with some affiliates opting for Akira or new players while others move to independent operations, as seen with the Phobos increase. 

Market Share of the Ransomware Attacks

Attackers exploited readily available critical vulnerabilities (CVEs) in Q1 2024.

Patching was slow, allowing attackers like Akira, RansomHouse, BlackSuit, Play, and Lockbit to infiltrate systems through unpatched Cisco VPN products, Netscaler VPN virtual servers, and ScreenConnect instances using known CVEs (CVE-2023-20269, CVE-2023-4966, and CVE-2024-1708). 

Ransomware Attack Vectors

Adversaries are increasingly using stolen credentials and legitimate tools to move laterally within a network, steal data (exfiltration), and disrupt core functions (impact) like deploying ransomware and target vulnerabilities in RDP, SMB, and ESXi to reach critical assets and often leverage common RMM software (AnyDesk, TeamViewer) for remote control disguised as regular traffic. 

Percentage of cases vs Observed Traffic

Initial footholds are established through phishing emails or exploiting unpatched systems, highlighting the importance of network segmentation, user hygiene, and up-to-date software.

Ransomware Impacted Companies by Size (Employee Count)

In the first quarter of 2024, ransomware attackers continued to exploit any vulnerabilities they found, regardless of the size of the company or industry, which is likely because it’s becoming harder to find easy targets.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles