Why ransomware victims are deciding not to pay up

It appears ransomware victims are less willing to give in to cybercriminals and pay up, according to a recent report by ransomware incident response platform Coveware.

Commercial clients are considering the tradeoffs and are increasingly opting not to hand over the cash, Coveware says in its report. The average ransomware payment dropped by more than one-third in 2020 Q4.

“Ransomware groups continue to leverage data exfiltration as a tactic,” the report states. “However, the trust that stolen data will be deleted is eroding; defaults are becoming more frequent when exfiltrated data is made public despite the victim paying.

“As a result, fewer companies are giving in to cyber extortion when they are able to recover from backups. This inflection led to a large decline in average ransom amounts paid. Stemming the tide of cyber extortion will only happen if the industry is starved of its profitability. This trend was a distinct positive during Q4.”

In 2020 Q4, Coveware reported the average ransom payment was $154,000 — a drop of 34% compared to the previous quarter. When looking at median payments, that number sat at $49,450 — a drop of 55% from the third quarter of last year.

Those numbers had been on a steady rise since early 2019, jumping sharply as the COVID-19 pandemic took effect in the second quarter of last year. That’s when most employees in Canada moved to a work-from-home model. Cyber claims spiked as people worked from less secure networks at home and were unable to verify emails that were phishing attempts by cybercriminals.

iStock.com/mikkelwilliam

“With more companies falling victim, more are having the opportunity to constructively consider the tradeoffs, and are increasingly choosing not to pay,” the report said. “Attacking the raw economics of the cyber extortion economy from multiple angles is the best way to retract the volume of attacks. When fewer companies pay, regardless of the reason, it causes a long-term impact that compounded over time can make a material difference in the volume of attacks.”

Despite this apparent trend, profit margins for cybercriminals are still “very high” and the risk of being arrested is low, Coveware noted. It added that phishing attempts are still the primary attack vector.

Among your commercial clients, small businesses are most at risk of ransomware attacks. However, cybercriminals are increasingly targeting mid-market companies. Those falling victim to ransomware attacks in 2020 Q4 employed a median of 234 people.

“Mid-market companies are being found more frequently in the crosshairs of ransomware actors. These companies typically are just as easy to penetrate, and have a greater capacity to pay versus very small businesses,” Coveware said.

Insurance companies made up 2.8% of cybercrime targets. Healthcare (17.9%), professional services (16.3%) and consumer services (11.9%) made up the Top 3.

“In general, small companies are less likely to have dedicated IT security staff,” Coveware said. “Small service firms are more likely to have network structures that are flat, and simple access control policies that are not well maintained. These firms also do not consider themselves prime targets for ransomware, and are not taking the steps needed to keep themselves safe.  These vulnerabilities make them a low-hanging fruit and a cheap target.”

Business interruption was the biggest cause of losses, with the average downtime pegged at 21 days. That’s up two days (11%) from the previous quarter.

Feature image by iStock.com/AndreyPopov