The average ransom paid to cyber criminals following a ransomware attack is falling as more companies become reluctant to give into extortion demands.
Analysis by cybersecurity company Coveware has found that the average ransom payment paid following a ransomware attack decreased by a third in the final quarter of 2020, dropping to $154,108 from $233,817 during the previous three months.
The company attributes the drop in the average ransom payment to victims choosing not to give into demands to pay bitcoin in exchange for the decryption key, which the criminals claim will restore the network to working order.
While it's positive that a higher percentage of these victims are choosing not to pay cyber criminals, there's still a large number of organisations that do give in – allowing ransomware to continue to be successful, even if those behind attacks have been making slightly less money. However, it might be enough for some ransomware operators to consider if the effort is worth it.
"When fewer companies pay, regardless of the reason, it causes a long-term impact, that compounded over time can make a material difference in the volume of attacks," said a blog post by Coveware.
The rise in organisations choosing not to give into extortion tactics around ransomware has also led the gangs to change their tactics, as shown by the increase in ransomware attacks where criminals threaten to leak stolen data if the victim doesn't pay. According to Coveware, these accounted for 70% of ransomware attacks in the final three months of 2020 – up from 50% during the previous three months.
Researchers note that even if the ransom is paid, there's no guarantee that criminals will delete the data, and instead they may use it for some other malicious purposes, something which organisations might be considering when making a decision over payment.
And, as cybersecurity companies and law enforcement agencies warn, any payment made following a ransomware attack just motivates the criminals to continue attacks.
Phishing emails and exploitation of Remote Desktop Protocol (RDP) are the most common methods for ransomware attacks to enter networks. While a phishing email relies on victims opening malicious documents or links to set the attack in motion, RDP doesn't need an individual in the victim organisation to be involved at all, because attackers are able to abuse leaked credentials.