Ransomware in Q1 2024: Frequency, size of payments trending downwards, SMBs beware!

More organizations hit by ransomware gangs are starting to realize that it doesn’t pay to pay up: “In Q1 2024, the proportion of victims that chose to pay touched a new record low of 28%,” ransomware incident response firm Coveware has found.

Ransomware Q1 2024

Victim organizations are increasingly able to withstand an encryption attack and restore operations without the need for a decryption key, they said, and the stolen data is often leaked or traded even after the victims have paid the ransom, which repeatedly proves that paying up is no guarantee.

“LockBit was found to still be holding the stolen data of victims that had paid a ransom, and we have also seen prior Hive victims that had paid the extortion, have their data posted on the Hunters International leak site (a reboot / rebrand of Hive),” the company said, noting that “future victims of data exfiltration extortion are getting more evidence daily that payments to suppress leaks have little efficacy in the short and long term.”

Recent events are changing the ransomware ecosystem

With the distruption (temporary or otherwise) of big players like LockBit and Alphv/Blackcat and their attempts to cheat their affiliates of their due share for a successful attack, many affiliates have started searching for a safer port in the storm and smaller ransomware-as-a-service (RaaS) groups are trying to entice them to join their network.

GuidePoint researchers have recently advised ransomware victims (mostly small and medium size businesses) to think twice before paying off smaller/immature RaaS groups as they:

  • Have less to lose if they don’t keep their word
  • Often exaggerate their claims
  • Often re-extort their victims.

Sophos X-Ops has also discovered 19 cheap, crudely constructed ransomware variants that are being sold primarily on dark web forums to wannabe cybercriminals that want to avoid sharing their profits with (and getting ripped off by) RaaS gangs.

“These types of ransomware variants aren’t going to command the million-dollar ransoms like Cl0p and Lockbit but they can indeed be effective against SMBs, and for many attackers beginning their ‘careers,’ that’s enough,” says Christopher Budd, Sophos’ Director of Threat Research.

“More concerningly, this new ransomware threat poses a unique challenge for defenders. Because attackers are using these variants against SMBs and the ransom demands are small, most attacks are likely to go undetected and unreported. That leaves an intelligence gap for defenders, one the security community will have to fill.”

Coveware’s recent report noted that the average ransomware payment continues the downward trend: in Q4 2023 it was $568,705, and in Q1 2024 it fell to $381,980.

“It is evident that rather than shoot for the moon with a very high initial demand, many ransomware affiliates are opting for the opposite tactic, and are demanding more reasonable amounts. The intention of this tactic is to keep more victims engaged and at the negotiating table with a reasonable demand versus scaring victims away from even engaging with a fantastical initial demand,” the company said.

Don't miss