When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
What Factors Contributed to the Decline of the Average Ransomware Payment?
SpearTip | February 5th, 2021
At SpearTip, along with the incident response industry, we experienced, for the first time in two years, a decline in average ransomware payments in Q4 of 2020 by nearly $100,000. Anyone paying close attention to the ransomware threat landscape throughout the year would have noticed the increase in payments, so what factors contributed to this Q4 decline after almost a year of steadily increasing ransomware payments?
Average Ransomware Payments In Decline
SpearTip’s cyber experts observed the stable growth of average ransomware payments for the first three quarters of 2020. As victims kept paying, threat actors upped the ante. The main factor attributed to the decline in security engineers’ experience in dealing with double extortion. Maze ransomware was the first group to implement double extortion in 2019, and other groups who adopted the method did not always pull it off correctly.
It’s important to realize when dealing with a threat actor, you are dealing with someone whose commitments should not be trusted. When data is exfiltrated, most ransomware groups communicate to victims that it will be returned and destroyed after ransomware payments are exchanged. This is done to incentivize the victim to pay but problems have risen when threat actors are found to have not destroyed the data. Instead in some cases, threat actors collect the ransom, promise not to publish the data, and promptly leak the data on their blog sites.
Another factor that may have played a part in this decline is the news of a major ransomware gang, NetWalker, losing their dark web leak site to law enforcement. Although we learned of this news in late January, it’s likely the site has been revoked for weeks.
Security firms like SpearTip will guide ransomware victims in the right direction during these negotiations. In some cases, there are options for avoiding payments that an internal team may not be aware of. Our engineers negotiate with threat actors regularly and exhaust every option possible before paying the ransom during an incident which we view as a final choice to recover your data. If your organization has secure backups and the ability to recover after a breach, you’ll be less inclined to make a ransom payment or endure business disruption.
A firm that specializes in executing ransom payments, Coveware, recently published a report on ransomware in Q4 of 2020. Within it, they explain how the decline in payments stems from companies not giving in to the double extortion methods based on the likelihood their data is already published publicly or has been erased completely.
The average ransom request was becoming incredibly costly and the trust in threat actors diminished, so the option of not paying became a better choice. This is likely why we’ve seen this sharp drop in the average ransomware payment. According to Coveware’s report, payments dropped 34% in Q4 2020 from Q3 2020.
We offer Incident Response services, but ideally, the response wouldn’t be needed if you’re appropriately secured beforehand. Our Endpoint Detection and Response (EDR) tool, ShadowSpear®, is a great step to avoid a ransomware attack and can be specifically tailored to suit your organization.
The three modules that make up ShadowSpear® all serve a critical purpose in your endpoint protection. Identify provides enhanced visibility across your entire information security environment, Neutralize provides instant protection against advanced malware threats including authorized remote access and ransomware, and Counter gives our 24-hour Security Operations Center and internal team the ability to immediately react to malicious activity on an endpoint. Utilizing this tool is how you’ll truly outmaneuver your adversaries.
In most cases where ransomware attacks disrupted business operations and ransomware payments were made, organizations were not prepared. A saying widely used in the cybersecurity industry is “not if, but when”, so being properly prepared to defend against cyber threats is crucial for the success of your organization and profit maximization.
How have law enforcement agencies been successful in targeting and apprehending ransomware operators?
Law enforcement agencies have achieved success in targeting and apprehending ransomware operators through a combination of international cooperation, improved intelligence sharing, and dedicated cybercrime units. These agencies often collaborate with private cybersecurity firms and utilize sophisticated digital forensic techniques to trace the flow of ransom payments, identify the perpetrators, and initiate legal actions against them.
What strategies and technologies are being employed by organizations to bolster their cybersecurity defenses against ransomware attacks?
Organizations are adopting various strategies and technologies to enhance their cybersecurity defenses against ransomware attacks. These include regular employee training on phishing and social engineering awareness, implementing multi-factor authentication, employing advanced endpoint protection solutions, conducting regular vulnerability assessments and penetration testing, implementing network segmentation, and regularly backing up critical data offline or to secure cloud storage. Additionally, many organizations are investing in threat intelligence services and partnering with cybersecurity firms to continuously monitor and respond to emerging threats.
Are there any emerging trends or new tactics being observed in the ransomware landscape that could potentially impact the decline in average ransomware payments?
The ransomware landscape is continually evolving, and several emerging trends and tactics have the potential to impact the decline in average ransomware payments. These include the rise of double extortion attacks, where threat actors not only encrypt data but also steal sensitive information to pressure victims into paying, as well as the increasing targeting of specific industries or critical infrastructure. Additionally, the use of decentralized or anonymized cryptocurrencies for ransom payments and the availability of ransomware-as-a-service (RaaS) platforms contribute to the complexity of the threat landscape. Continuous monitoring of these trends is crucial to stay ahead of evolving ransomware tactics.
Stay Connected With SpearTip
Inside the SOC Newsletter
View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
ShadowSpear Platform
Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
ShadowSpear Demo
Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.
