Sunday, October 6, 2024
HomeCVE/vulnerabilityRansomware Victims Who Opt To Pay Ransom Hits Record Low

Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Published on

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members aiming to undermine affiliate confidence.

In response, LockBit publicly exposed an affiliate payment dispute, potentially causing further affiliate migration. 

The behavior of a major RaaS group is puzzling, as the financial loss from the dispute seems insignificant compared to the reputational damage. 

- Advertisement - EHA

The disappearance of RaaS groups like BlackCat disrupts ransomware affiliates, forcing them to decide their next steps.

Some may exit cybercrime entirely, while others may choose to go independent by leveraging leaked ransomware builders like Conti’s to develop their operations. 

Due to previous actions from organizations like REvil, which highlight a potential long-term trend of instability within the RaaS ecosystem, more people might continue to use the RaaS model despite the risk of developers cheating them. 

Q1 2024 saw a 32% drop in average ransom payments compared to Q4 2023, reaching $381,980.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

Conversely, the median ransom payment rose 25% to $250,000, suggesting a shift in attacker tactics.

There was a decline in high-value targets paying ransoms and a rise in attackers targeting smaller organizations with more moderate demands to maintain negotiation leverage. 

Ransom Payments by Quarter

Ransomware payments hit a record low in Q1 2024, with only 28% of victims choosing to pay, which suggests that organizations are improving their resilience, potentially due to improved backup and recovery strategies. 

The trend of attackers continuing to leak data even after receiving payment discourages victims from paying.

This lack of trust, combined with evidence of previously paid-for data resurfacing, strengthens the case against ransomware payments. 

All Ransomware Payment Resolution Rates

According to Coverware, Akira remained the most prevalent ransomware variant in Q1 2024, as law enforcement disruptions and declining trust in LockBit and BlackCat caused a rise in alternative strains. 

Black Basta, a re-emerging threat, joined the top ranks alongside newcomers like BlackSuit and Rhysida, indicating a shift in RaaS (Ransomware-as-a-Service) affiliations, with some affiliates opting for Akira or new players while others move to independent operations, as seen with the Phobos increase. 

Market Share of the Ransomware Attacks

Attackers exploited readily available critical vulnerabilities (CVEs) in Q1 2024.

Patching was slow, allowing attackers like Akira, RansomHouse, BlackSuit, Play, and Lockbit to infiltrate systems through unpatched Cisco VPN products, Netscaler VPN virtual servers, and ScreenConnect instances using known CVEs (CVE-2023-20269, CVE-2023-4966, and CVE-2024-1708). 

Ransomware Attack Vectors

Adversaries are increasingly using stolen credentials and legitimate tools to move laterally within a network, steal data (exfiltration), and disrupt core functions (impact) like deploying ransomware and target vulnerabilities in RDP, SMB, and ESXi to reach critical assets and often leverage common RMM software (AnyDesk, TeamViewer) for remote control disguised as regular traffic. 

Percentage of cases vs Observed Traffic

Initial footholds are established through phishing emails or exploiting unpatched systems, highlighting the importance of network segmentation, user hygiene, and up-to-date software.

Ransomware Impacted Companies by Size (Employee Count)

In the first quarter of 2024, ransomware attackers continued to exploit any vulnerabilities they found, regardless of the size of the company or industry, which is likely because it’s becoming harder to find easy targets.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

CISA Warns of Four Vulnerabilities that Exploited Actively in the Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has warned about four critical vulnerabilities currently...