A mere five years ago, 85% of companies being extorted by ransomware attacks paid up. The costs of not being able to do business and endangering customers’ private data were just too high not to.
Not anymore: Only 29% of companies paid out ransom to malicious hackers in the last quarter of 2023, according to Coveware, a ransomware first recovery responder. The average ransomware payout also dropped by 33% from the third quarter of last year to $568,000 in Q4.
Professional services (22%), healthcare (14%) and government (11%) are the top 3 targets for ransomware attacks. Small companies with 1 to 100 employees (31%) and mid-sized firms with 100 to 1,000 workers (31%) are most impacted.
Threat actors don’t hold up their end of the bargain anymore
Once upon a time, there was some honor among cyber thieves. After locking up a company’s system, the typical threat actor (TA) would provide the encryption keys to unlock it after getting his/her money. The TA also would delete company data, as promised.
Those days are long gone, says Emil Isner, president of data breach for Dauntless Discovery, which specializes in law firm electronic discovery services. “Some TAs will sell a company’s data to other TAs while they’re negotiating with the company. Then a few weeks or months later, the same company’s dealing with a second ransom attempt.”
Those experiences have led to companies saying “[the TA] isn’t going to erase our data, so why pay?” says Isner. “Which unfortunately is true in many cases – paying ransom won’t necessarily end the threat.”
A few years back, a TA shut down a healthcare provider’s system and demanded a payout. The provider refused to pay. So the TA got creative and contacted patients, telling them their provider was willing to let their protected health information (PHI) be sold on the dark web.
Suffice to say, angry patients let the provider know they weren’t too happy about it. They demanded the provider take action to protect their PHI.
Companies are coming out ahead due to one smart move
The drop in companies paying ransom is only partly due to TAs not doing as they promise. “Companies are [also] doing a much better of job of backing up their data in more than one place,” says Isner. “They’ve learned from other companies’ experiences.
“Now if a company’s attacked, it can see exactly what the TA has. If the TA’s got basic customer data, just a slice of the pie, maybe the company doesn’t meet the TA’s demand. But if a TA gets ahold of a company’s trade secrets, the company might lean toward paying the ransom.
“These aren’t easy decisions for any business,” says Isner. “There are always risks to not paying, so it’s a matter of weighing the risks and moving forward. There’s no question, redundancy in data is such an important step for companies to take.”
And let’s give law enforcement its proper due
One other factor helping companies that are hacked and service providers like Dauntless Discovery is the work of law enforcement. “Police and government agencies are sharing info more quickly and cooperating with each other,” says Isner. “The FBI and Interpol will work together to figure out where a TA is located and try to go after it.”
The FBI frequently warns businesses not to be complacent. Hackers are always changing their tactics to stay ahead of companies’ cybersecurity measures. For example, ransomware pirates attacked MGM Resorts in Las Vegas last year. The attack made guests’ room keys inoperable and made it impossible to use cards to play slot machines.
$1 billion paid out in ransom to hackers in 2023
While it’s true that most companies are doing a much better job of backing up data and avoiding having to pay attackers, the threat of ransomware is still very serious. Several reports note that TAs are demanding higher payouts than five years ago and earlier.
For example, a TA might demand $5 million off the bat from a company that generated $15 million in revenue the previous year. The company might be able to negotiate the ransom down to an amount it can (barely) afford to pay. Or it might not. TAs appear to be getting greedier all the time in addition to not fulfilling the promises they make to victims.
Crytpocurrency tracing system Chainalysis reports that TAs hauled in a record $1.2 billion in ransomware last year. Chainalysis notes that TAs “intensified their operations, targeting high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.”
The higher ransom amounts contributed to the rise in total money (TAs’ preferred payment type is crypto such as Bitcoin). So did a rise in the number of gangs attempting to extort businesses and government, says Chainalysis.
No wonder that 75% of IT professionals fear a well-honed ransomware attack could put their organizations out of business, according to a Datto report. Small businesses may assume they’ll fly under TAs’ radar but they may be most at risk due to limited IT staff and budgets.
Bottom line: As cyber criminal gangs grow and become more ruthless, businesses will need to strengthen their defenses. For help, the FBI lists a number of steps companies can take to improve their cybersecurity at its website.