Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members aiming to undermine affiliate confidence.

In response, LockBit publicly exposed an affiliate payment dispute, potentially causing further affiliate migration. 

The behavior of a major RaaS group is puzzling, as the financial loss from the dispute seems insignificant compared to the reputational damage. 

The disappearance of RaaS groups like BlackCat disrupts ransomware affiliates, forcing them to decide their next steps.

Some may exit cybercrime entirely, while others may choose to go independent by leveraging leaked ransomware builders like Conti’s to develop their operations. 

Due to previous actions from organizations like REvil, which highlight a potential long-term trend of instability within the RaaS ecosystem, more people might continue to use the RaaS model despite the risk of developers cheating them. 

Q1 2024 saw a 32% drop in average ransom payments compared to Q4 2023, reaching $381,980.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

Conversely, the median ransom payment rose 25% to $250,000, suggesting a shift in attacker tactics.

There was a decline in high-value targets paying ransoms and a rise in attackers targeting smaller organizations with more moderate demands to maintain negotiation leverage. 

Ransomware payments hit a record low in Q1 2024, with only 28% of victims choosing to pay, which suggests that organizations are improving their resilience, potentially due to improved backup and recovery strategies. 

The trend of attackers continuing to leak data even after receiving payment discourages victims from paying.

This lack of trust, combined with evidence of previously paid-for data resurfacing, strengthens the case against ransomware payments. 

All Ransomware Payment Resolution Rates

According to Coverware, Akira remained the most prevalent ransomware variant in Q1 2024, as law enforcement disruptions and declining trust in LockBit and BlackCat caused a rise in alternative strains. 

Black Basta, a re-emerging threat, joined the top ranks alongside newcomers like BlackSuit and Rhysida, indicating a shift in RaaS (Ransomware-as-a-Service) affiliations, with some affiliates opting for Akira or new players while others move to independent operations, as seen with the Phobos increase. 

Attackers exploited readily available critical vulnerabilities (CVEs) in Q1 2024.

Patching was slow, allowing attackers like Akira, RansomHouse, BlackSuit, Play, and Lockbit to infiltrate systems through unpatched Cisco VPN products, Netscaler VPN virtual servers, and ScreenConnect instances using known CVEs (CVE-2023-20269, CVE-2023-4966, and CVE-2024-1708). 

Adversaries are increasingly using stolen credentials and legitimate tools to move laterally within a network, steal data (exfiltration), and disrupt core functions (impact) like deploying ransomware and target vulnerabilities in RDP, SMB, and ESXi to reach critical assets and often leverage common RMM software (AnyDesk, TeamViewer) for remote control disguised as regular traffic. 

Initial footholds are established through phishing emails or exploiting unpatched systems, highlighting the importance of network segmentation, user hygiene, and up-to-date software.

In the first quarter of 2024, ransomware attackers continued to exploit any vulnerabilities they found, regardless of the size of the company or industry, which is likely because it’s becoming harder to find easy targets.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.