Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members aiming to undermine affiliate confidence.

In response, LockBit publicly exposed an affiliate payment dispute, potentially causing further affiliate migration. 

The behavior of a major RaaS group is puzzling, as the financial loss from the dispute seems insignificant compared to the reputational damage. 

The disappearance of RaaS groups like BlackCat disrupts ransomware affiliates, forcing them to decide their next steps.

Some may exit cybercrime entirely, while others may choose to go independent by leveraging leaked ransomware builders like Conti’s to develop their operations. 

Due to previous actions from organizations like REvil, which highlight a potential long-term trend of instability within the RaaS ecosystem, more people might continue to use the RaaS model despite the risk of developers cheating them. 

Q1 2024 saw a 32% drop in average ransom payments compared to Q4 2023, reaching $381,980.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

Conversely, the median ransom payment rose 25% to $250,000, suggesting a shift in attacker tactics.

There was a decline in high-value targets paying ransoms and a rise in attackers targeting smaller organizations with more moderate demands to maintain negotiation leverage. 

Ransom Payments by Quarter

Ransomware payments hit a record low in Q1 2024, with only 28% of victims choosing to pay, which suggests that organizations are improving their resilience, potentially due to improved backup and recovery strategies. 

The trend of attackers continuing to leak data even after receiving payment discourages victims from paying.

This lack of trust, combined with evidence of previously paid-for data resurfacing, strengthens the case against ransomware payments. 

All Ransomware Payment Resolution Rates

According to Coverware, Akira remained the most prevalent ransomware variant in Q1 2024, as law enforcement disruptions and declining trust in LockBit and BlackCat caused a rise in alternative strains. 

Black Basta, a re-emerging threat, joined the top ranks alongside newcomers like BlackSuit and Rhysida, indicating a shift in RaaS (Ransomware-as-a-Service) affiliations, with some affiliates opting for Akira or new players while others move to independent operations, as seen with the Phobos increase. 

Market Share of the Ransomware Attacks

Attackers exploited readily available critical vulnerabilities (CVEs) in Q1 2024.

Patching was slow, allowing attackers like Akira, RansomHouse, BlackSuit, Play, and Lockbit to infiltrate systems through unpatched Cisco VPN products, Netscaler VPN virtual servers, and ScreenConnect instances using known CVEs (CVE-2023-20269, CVE-2023-4966, and CVE-2024-1708). 

Ransomware Attack Vectors

Adversaries are increasingly using stolen credentials and legitimate tools to move laterally within a network, steal data (exfiltration), and disrupt core functions (impact) like deploying ransomware and target vulnerabilities in RDP, SMB, and ESXi to reach critical assets and often leverage common RMM software (AnyDesk, TeamViewer) for remote control disguised as regular traffic. 

Percentage of cases vs Observed Traffic

Initial footholds are established through phishing emails or exploiting unpatched systems, highlighting the importance of network segmentation, user hygiene, and up-to-date software.

Ransomware Impacted Companies by Size (Employee Count)

In the first quarter of 2024, ransomware attackers continued to exploit any vulnerabilities they found, regardless of the size of the company or industry, which is likely because it’s becoming harder to find easy targets.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Guru baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make it a highly effective and low-cost…

24 hours ago

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…

3 days ago

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…

3 days ago

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…

3 days ago

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…

3 days ago

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…

3 days ago