In the second quarter of 2023, only 34% of victims paid the ransom in ransomware attacks, according to Coveware, an incident response firm. This represents a “record low” in the percentage of victims choosing to pay. Coveware attributed this decline to companies investing in security measures, continuity assets, and incident response training.

This decrease is a significant shift from previous quarters. In the first quarter of 2023, 45% of victims paid the ransom, compared to 77% in the third quarter of 2020 and 85% in the first quarter of 2019. The diminishing number of victims paying the ransom is a positive development in the fight against ransomware attacks.

Nevertheless, threat actors continue to adapt and evolve their attack tactics. One such innovation is the use of data exfiltration attacks, also known as DXF-only attacks. In these attacks, the threat actor steals a victim’s data and threatens to leak it as a means of extortion, without encrypting the victim’s network like conventional ransomware.

Although DXF-only attacks do not cause significant business disruption like encryption-based attacks, they can still cause brand damage and create notice obligations for the victim. The probability of a ransom being paid in DXF-only attacks is less than 50%, but the amount demanded by the threat actor is relatively high. This creates a medium level of expected profit for the attacker on average.

In recent months, DXF-only attacks have become more frequent. Threat analysts believe that these types of attacks pose a lower risk of law enforcement intervention compared to attacks that shut down or disrupt an enterprise or critical service. One notable example is the Clop ransomware gang’s campaign against customers of Progress Software’s MoveIt Transfer product. The gang exploited a zero-day vulnerability in MoveIt Transfer to steal confidential data from hundreds of customers.

Although the MoveIt Transfer attack did not involve encrypting victims’ data and systems, the Clop ransomware gang published the data of organizations that refused to pay the ransom. Security experts have expressed mixed opinions about the profitability of the campaign. Coveware estimated that Clop could earn $75-100 million from the MoveIt Transfer attacks, primarily from a small number of victims who paid high ransom amounts.

Some victims may be willing to pay millions of dollars for stolen data from a managed file transfer product due to concerns about brand and public relations damage. Coveware CEO and co-founder Bill Siegel explained that these companies fear the release of stolen data could harm their reputation.

The decline in ransom payments for DXF attacks is evident in Coveware’s data. In the second quarter of 2023, only 29% of DXF attack victims paid the ransom, compared to 53% in the first quarter of 2022. Siegel believes that extortion-only attacks are reaching a “tipping point” where fewer victims are willing to give in to the demands, although some companies still pay.

Despite the decrease in the percentage of victims paying the ransom, a recent report from cryptocurrency analytics firm Chainalysis shows that the total amount of ransom payments has surged. In the first half of 2023, ransomware actors have already extorted at least $449.1 million, representing a $175.8 million increase compared to the same period in 2022.

Overall, the decrease in ransomware payments is a positive trend, indicating that companies are becoming more resilient and better prepared to respond to attacks. However, threat actors are constantly evolving their tactics, and it is essential for organizations to continue investing in cybersecurity measures to protect themselves from these increasingly sophisticated attacks.

Source link