Ransomware payments are growing, even as more victims refuse to pay up. Here’s why

Ransomware gangs may have had to work a little harder to bring home the green in 2023. According to recent research by ransomware response and negotiation shop Coveware, the percentage of victims willing to pay up reached an all-time low of 29% in the last quarter of the year.

Coveware’s data has shown sustained year over year drops in payment rates since 2019, when the vast majority of victims (85%) bought decryption keys.

There’s a huge caveat, though. Threat actors responded to low earnings in 2022 with a deluge of attacks, increasing their absolute take throughout 2023 to an all-time high of $1.1 billion, Chainalysis researchers found.

“It feels very gloves-off,” Chainalysis Head of Threat Intelligence Jackie Burns Koven told Wired.

Double jeopardy. Two attorneys who specialize in helping clients prepare for, react to, and resolve cybersecurity incidents told IT Brew the factors shaping executives’ decisions to pay a ransom or not have evolved quickly.

Kari Rollins, partner in the Privacy and Cybersecurity practice at Sheppard Mullin, told IT Brew she had observed a rise in ransomware attacks involving threats to release stolen data—so-called “double extortion” attacks—but these weren’t effective in most cases because most firms have realized disclosure requirements mean they can’t hide breaches from customers or investors.

“The threat of publicity surrounding the ransomware event isn’t as compelling as it used to be,” Rollins said. While some clients still pay, she said the real pressure to do so comes when victims don’t have redundant and/or segregated backups or disaster and business continuity plans, resulting in costly downtime.

Polsinelli attorney Michael Waters said a growing number of his clients either have secure backups or are able to decrypt their systems without the attackers’ keys. The sheer number of attacks in recent years has lessened negative PR from being hit as well, he told IT Brew.

For example, Waters said, a downstream business customer responding to an attack on their third-party service provider could have “dealt with a ransomware event themselves recently.”

Other factors include greed and inherent lack of trust dealing with a blackmailer.

Ransom demands against large enterprises now regularly reach seven or eight figures, Waters told IT Brew—a “big-game hunting” strategy Chainalysis cited as one of the reasons for the rise in absolute ransom earnings.

Faced with absurd demands, Waters said, “organizations are sort of incentivized to figure out a way to restore operations without purchasing the decryption keys, even if it may be difficult or more time consuming.”

“There’s also just very little trust that if a payment is made, the bad actor is going to delete or destroy the data,” he added.

The cybercrime arms race. While attackers may be struggling with better prepared defenders and a loss of leverage relative to the last few years, they are extremely persistent at finding creative new ways to threaten victims, both lawyers said.

Disruption to everyday business operations or losing customer data aren’t the only aces in a ransomware gang’s deck, Rollins told IT Brew. There’s always the chance employees and executives could have stored embarrassing photos and emails inside a corporate network, or that attackers could stumble upon bombshell information.

“If they just happened upon a company that’s in the middle of a potential M&A deal, and it’s not yet public, they could—and I’ve seen this happen—threaten the release and publicity of information around this potential sale,” Rollins said.

Waters said ransomware remains second only to business email compromise as the most common type of incident to afflict his clients, and gangs have become more successful at “deploying the ransomware without being noticed.”

One method is fileless or living off the land (LOTL) attacks, where attackers avoid malware signature detection by abusing legitimate system services. Malwarebytes has observed that LOTL attacks have become a favorite of ransomware-as-a-service gangs, which have exploded in recent years.

Rumblings from the Treasury Department in 2022 that paying ransoms to certain foreign threat actors could violate sanctions law also ended up having limited impact.

That’s because, Waters said, ransomware gangs rarely end up on the Office of Foreign Assets Control (OFAC) list of sanctioned groups. Often that step is only taken after authorities have already disrupted the group in question. Other gangs who manage to get slapped with official sanctions have proven adept at rebranding or regrouping as new entities that technically remain legal to pay off.

“More often than not, if a ransomware group gets added to the OFAC list, we don’t see many more incidents involving that particular ransomware group,” Waters told IT Brew. “It’s pretty rare for the OFAC due diligence to actually connect a bad actor to somebody on that list.”