The average ransom payment related to ransomware attacks dropped by 34% in the 1st Q of 2022 from Quarter 4 of 2021’s all-time high, in accordance with ransomware incident response agency Coveware. The average and median ransom payments in the 1st Q of 2022 were $211,259 and $73,906, respectively.
The slide in total ransom payments was because of various factors. Coveware indicates ransomware gangs were targeting little businesses and asking for reduced ransom payments, as a result of the greater scrutiny by law enforcement if attacks are executed on big companies. The median firm size is decreasing since the 4th Q of 2020 and today companies have approximately 160 staff members. This looks like the sweet spot, where the firms have adequate earnings to permit large ransom payments, yet not so sizeable that attacks will lead to significant scrutiny by authorities.
An additional reason why full ransom payments have decreased is the lesser number of victims of ransomware attacks giving ransom payments. The number of affected companies of ransomware attacks that give ransom payment is considerably decreasing, from 85% of victims in Quarter 1 of 2019 to 46% of victims in 1st Q of 2022. Additionally, a number of the most respected ransomware operations had become quiet, for instance, Maze and REvil (Sodinokibi).
Conti and LockBit are the most respected ransomware operations, accounting for 16.1% and 14.9% of ransomware attacks correspondingly, and then BlackCat/Alphv (7.1%), Hive (5.4%), and AvosLocker (4.8%). Coveware indicates that the associates who partner with ransomware-as-a-service operations look less willing to work together with big RaaS groups, since those groups are typically attacked by law enforcement. It is common nowadays for affiliates to try little RaaS operations or perhaps create their own ransomware variants through leaked source code.
The most prevalent attack vectors in ransomware attacks include phishing, RDP connections, and taking advantage of unpatched vulnerabilities in software programs and operating systems. Coveware has monitored a rise in other attack vectors from Quarter 2, 2021, including social engineering and the direct attacks of insiders. Social engineering attacks are identical to phishing although are very targeted and usually require priming or grooming targeted workers before convincing them to offer access to the system. There has likewise been a growth in single wolf attackers. Coveware recognized the pattern at the end of 2021, and it has persisted through Quarter 1 of 2022. Attacks by these cyber attackers are generally performed on organizations that have more effective security compared to the typical ransomware victim, for example, multi-factor authentication correctly enabled for all staff members and critical resources.
At the end of 2019, the Maze ransomware operation commenced making use of double extortion tactics, where information is taken from victims prior to file encryption. Payment ought to then be given to the decryptor and to avoid the posting or sale of stolen data. These strategies were swiftly used by a lot of ransomware operations and had become the norm, though there was a drop in attacks regarding encryption and extortion in the 1st Q of 2022. Double extortion was utilized in 84% of attacks in Quarter 4 of 2021, and 77% of attacks in Quarter 1 of 2022. Though double extortion is very likely to be greatly employed in attacks for the foreseeable future, Coveware believes the move from data encryption to data extortion will carry on, as data theft and naming and shaming persons are unlikely to draw in the focus of authorities. Data theft with no encryption brings about no operational dysfunction however keeps the potential of the cybercriminal to extort the target. We assume this switch from Big Game Hunting to Big Shame Hunting will keep going, as mentioned by Coveware in the report.
Coveware cautioned about giving the ransom payment to avert the publication or vending of information, as there are no assurances that payment will end in data removal. In 63% of attacks in which a ransom was paid to avoid posting or selling stolen data, the attackers offered no evidence of data deletion. In the other attacks where proof was presented, it can simply be faked. When video clips, live screen shares, screenshots, or removal records are presented as evidence, victims need to believe that a copy of the records wasn’t made. In one noteworthy instance, a threat actor clearly expressed that the stolen information will not be erased when paid, and would hold on to it for future control against the victim, mentioned Coveware.