SpearTip | February 5th, 2021

At SpearTip, along with the incident response industry, we experienced, for the first time in two years, a decline of average ransomware payments in Q4 of 2020 by nearly $100,000. Anyone paying close attention to the ransomware threat landscape throughout the year would have noticed the increase in payments, so what factors contributed to this Q4 decline after almost a year of steadily increasing payments?

SpearTip’s cyber experts observed the stable growth of average ransomware payments for the first three quarters of 2020. As victims kept paying, threat actors upped the ante. The main factor attributed to the decline is security engineers’ experience in dealing with double extortion. Maze ransomware was the first group to implement double extortion in 2019, and other groups who adopted the method did not always pull it off correctly.

It’s important to realize when dealing with a threat actor, you are dealing with someone whose commitments should not be trusted. When data is exfiltrated, most ransomware groups communicate to victims that it will be returned and destroyed after payments are exchanged. This is done to incentivize the victim to pay but problems have risen when threat actors are found to have not destroyed the data. Instead in some cases threat actors collect the ransom, promise not to publish the data, and promptly leak the data on their blog sites.

Another factor that may have played a part in this decline is the news of a major ransomware gang, NetWalker, losing their dark web leak site to law enforcement. Although, we learned of this news in late January, it’s likely the site has been revoked for weeks.

Security firms like SpearTip will guide ransomware victims in the right direction during these negotiations. In some cases, there are options to avoiding payments that an internal team may not be aware of.  Our engineers negotiate with threat actors regularly and exhaust every option possible before paying the ransom during an incident which we view as a final choice to recover your data. If your organization has secure backups and the ability to recover after a breach, you’ll be less inclined to make a ransom payment or endure business disruption.

A firm that specializes in executing ransom payments, Coveware, recently published a report on ransomware in Q4 of 2020. Within it, they explain how the decline in payments stems from companies not giving in to the double extortion methods based on the likelihood their data is already published publicly or has been erased completely.

The average ransom request was becoming incredibly costly and the trust in threat actors diminished, so the option of not paying became a better choice. This is likely why we’ve seen this sharp drop in the average ransomware payment. According to Coveware’s report, payments dropped 34% in Q4 2020 from Q3 2020.

We offer Incident Response services, but ideally, the response wouldn’t be needed if you’re appropriately secured beforehand. Our Endpoint Detection and Response (EDR) tool, ShadowSpear®, is a great step to avoid a ransomware attack and can be specifically tailored to suit your organization.

The three modules that make up ShadowSpear® all serve a critical purpose in your endpoint protection. Identify provides enhanced visibility across your entire information security environment, Neutralize provides instant protection against advanced malware threats including authorized remote access and ransomware, and Counter gives our 24-hour Security Operations Center and internal team the ability to immediately react to malicious activity on an endpoint. Utilizing this tool is how you’ll truly outmaneuver your adversaries.

In most cases where ransomware attacks disrupted business operations and payments were made, organizations were not prepared. A saying widely used in the cybersecurity industry is “not if, but when”, so being properly prepared to defend against cyber threats is crucial for the success of your organization and profit maximization.