Declining Ransomware Payments: Shift in Hacker Tactics?

Several cybersecurity advisories and agencies recommend not caving into ransomware gangs’ demands and paying their ransoms. For a while, though, this advice didn’t stick —organizations tended to panic and quickly pay to get important systems back running or avoid sensitive data being published. But it seems the tide is turning, with a decline in ransomware payments; this article explores the trend and what it might mean for ransomware tactics.

Plummeting Ransomware Payment Rates  

A couple of recent surveys and reports shed light on a decrease in ransomware payments. One in particular from Coveware found that while 85% of ransomware victims paid the ransom in early 2019, that figure dropped to just 29% paying up by late 2023. That’s a huge reduction that comes down to the interplay of several contributing factors: 

  • Companies increasingly invest in ransomware-specific defenses, including better backup and recovery procedures, which allow them to restore systems and data without paying ransoms. This reduces the leverage ransomware gangs have over their victims.  
  • There’s been a big push toward educating businesses and individuals about the risks of ransomware and the importance of cybersecurity hygiene. CISA’s Reduce the Risk of Ransomware campaign is a good example of this. As awareness grows, fewer companies are caught off-guard, and more are prepared to handle attacks effectively. 
  • Governments are opting for a harder stance against ransomware gangs by disrupting their operations in coordinated stings, sanctioning companies involved in ransom payments, and generally encouraging victims to report attacks rather than pay the ransom. These actions together reduce the operational capabilities of ransomware gangs and make the ransomware business model less profitable. 
  • On a related note, there’s growing recognition that paying ransoms not only fuels the ransomware economy but also does not guarantee that data will be decrypted or that it won’t be sold or leaked later. There’s less incentive to cave in to pressure when paying guarantees nothing. 

When you dig further into the data from the Coveware report, the median payment sum remains stable, even though the payment rate is steeply declining. So, gangs are still out there attacking businesses with ransomware, and they still have the potential to land a hefty payday.   

How Will Ransomware Tactics Evolve? 

It’s a bit early to assume that ransomware gangs will disappear just because fewer companies pay up. When picking the right targets, the stable median payment amount shows that there’s still money to be made. Here are some ways ransomware gangs’ tactics might evolve in response to declining ransomware payment rates.  

Exfiltration over encryption

Expect to see more gangs exfiltrating data rather than merely encrypting it. This data theft holds the potential for more likely payouts because victims face the binary choice of retaining the confidentiality of sensitive information or having it published online. An exception might come in industries where the availability of systems takes precedence over information confidentiality (e.g., manufacturing).  

More aggressive extortion

Given ransomware gangs’ general lack of moral compass, an obvious potential evolution is for threat actors to more aggressively extort victims and increase the odds of getting paid. Multi-layer extortion is a label that security researchers like to put on any extra layer of a ransom extortion effort. Still, whatever you want to call it, aggressive harassment seems a likely tactic. This will probably involve directly contacting customers or employees whose data has been encrypted or stolen and outlining the threats to them of having their data published. This will result in increased pressure on the organization to pay. 

Increased targeting and research

Ransomware groups may spend more time researching and targeting specific industries or organizations they believe are more likely to pay. This could involve focusing on critical infrastructure sectors or tweaking the types of ransomware attacks based on different industries (e.g., using exfiltration against targets with highly sensitive data while focusing more traditional ransomware attacks against companies in industries with low downtime tolerances).  

Modernized ransomware code

Ransomware code is often straightforward for security researchers to reverse engineer and inspect what it does. Modernizing ransomware code could involve several strategies aimed at improving the effectiveness, stealth and impact of attacks. One example is to use more evasive encryption, like intermittent encryption, that only partly encrypts files and is harder to detect. Another possible tactic is developing ransomware in more secure languages like Rust, making it harder to analyze how it behaves.   

Leveraging insiders

There could be an increase in attempts to recruit or exploit insiders to facilitate ransomware attacks and even increase the impetus to pay up. This could involve bribing employees for access or exploiting disgruntled employees. 

While it’s encouraging to see declining ransomware payments, this doesn’t mean the threat is diminishing. On the contrary, as ransomware gangs evolve their tactics and become more aggressive, the threat landscape becomes even more complex. Modern ransomware can infiltrate individual endpoints and entire cloud infrastructures, which calls for a comprehensive and proactive approach to cybersecurity across endpoints, networks and cloud environments.  

Nuspire’s managed detection and response (MDR) provides you with a team of dedicated cyber experts who monitor and respond 24/7 across your cloud, network and endpoints to stay one step ahead of ransomware attackers. 

Learn more here.  


Have you registered for our next event?