Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members aiming to undermine affiliate confidence.

In response, LockBit publicly exposed an affiliate payment dispute, potentially causing further affiliate migration. 

The behavior of a major RaaS group is puzzling, as the financial loss from the dispute seems insignificant compared to the reputational damage. 

The disappearance of RaaS groups like BlackCat disrupts ransomware affiliates, forcing them to decide their next steps.

Some may exit cybercrime entirely, while others may choose to go independent by leveraging leaked ransomware builders like Conti’s to develop their operations. 

Due to previous actions from organizations like REvil, which highlight a potential long-term trend of instability within the RaaS ecosystem, more people might continue to use the RaaS model despite the risk of developers cheating them. 

Q1 2024 saw a 32% drop in average ransom payments compared to Q4 2023, reaching $381,980.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

Conversely, the median ransom payment rose 25% to $250,000, suggesting a shift in attacker tactics.

There was a decline in high-value targets paying ransoms and a rise in attackers targeting smaller organizations with more moderate demands to maintain negotiation leverage. 

Ransom Payments by Quarter

Ransomware payments hit a record low in Q1 2024, with only 28% of victims choosing to pay, which suggests that organizations are improving their resilience, potentially due to improved backup and recovery strategies. 

The trend of attackers continuing to leak data even after receiving payment discourages victims from paying.

This lack of trust, combined with evidence of previously paid-for data resurfacing, strengthens the case against ransomware payments. 

All Ransomware Payment Resolution Rates

According to Coverware, Akira remained the most prevalent ransomware variant in Q1 2024, as law enforcement disruptions and declining trust in LockBit and BlackCat caused a rise in alternative strains. 

Black Basta, a re-emerging threat, joined the top ranks alongside newcomers like BlackSuit and Rhysida, indicating a shift in RaaS (Ransomware-as-a-Service) affiliations, with some affiliates opting for Akira or new players while others move to independent operations, as seen with the Phobos increase. 

Market Share of the Ransomware Attacks

Attackers exploited readily available critical vulnerabilities (CVEs) in Q1 2024.

Patching was slow, allowing attackers like Akira, RansomHouse, BlackSuit, Play, and Lockbit to infiltrate systems through unpatched Cisco VPN products, Netscaler VPN virtual servers, and ScreenConnect instances using known CVEs (CVE-2023-20269, CVE-2023-4966, and CVE-2024-1708). 

Ransomware Attack Vectors

Adversaries are increasingly using stolen credentials and legitimate tools to move laterally within a network, steal data (exfiltration), and disrupt core functions (impact) like deploying ransomware and target vulnerabilities in RDP, SMB, and ESXi to reach critical assets and often leverage common RMM software (AnyDesk, TeamViewer) for remote control disguised as regular traffic. 

Percentage of cases vs Observed Traffic

Initial footholds are established through phishing emails or exploiting unpatched systems, highlighting the importance of network segmentation, user hygiene, and up-to-date software.

Ransomware Impacted Companies by Size (Employee Count)

In the first quarter of 2024, ransomware attackers continued to exploit any vulnerabilities they found, regardless of the size of the company or industry, which is likely because it’s becoming harder to find easy targets.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

10 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

10 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

13 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

16 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

17 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

17 hours ago