Ransomware's Paradox: Why Falling Monetization Rates Are Accompanied by Soaring Ransom Payments

Coveware-Ransom-Payments-Trend-Graph Grab a cup of coffee, and let's talk about something that's been making waves in the cybersecurity world: ransomware. You've probably heard about the alarming rise in ransom payments, but did you know that ransom monetization rates have actually fallen to a record low? It's a complex and evolving landscape, and we're here to break down the recent very interesting Coveware report for you.

The New Numbers

In Q2 of 2023, only 34% of ransomware attacks resulted in the victim paying up, a record low. But don't let that fool you. The average ransom payment has skyrocketed to $740,144, a 126% increase from Q1 2023. How did we get here? Let's explore.

Understanding the Cyber Extortion Opportunity Cost Curve

Imagine a curve that charts the financial impact on the victim against the expected profit for the threat actor. This curve helps us understand different extortion strategies, from low-effort, low-impact attacks to high-cost, high-impact ones.

Phantom Incidents: These are like those annoying spam emails, low impact, and low payout. They're cheap to pull off but rarely successful.
Database Deletion - Spray Attacks: A step above phantom incidents, these attacks wipe databases, are not exfiltrated, but are often not recoverable.
NAS Device Encryption CVE Attacks: These target weakly secured NAS devices, causing real but manageable impact.
Data Exfiltration Attacks: Here, the threat actor steals data and extorts the victim over its public release. It's a high-stakes game.
Encryption Ransomware: The big players. These attacks cause the highest level of impact and have the largest expected profit.

The Changing Face of Ransomware

Threat actors are adapting. Some groups like Dharma and Phobos have become dormant, while others are shifting tactics, tools, and targets. The CloP group, for example, made a staggering sum of money from the MOVEit campaign, despite a very small percentage of victims paying.

The Impact on Industries

As threat actors react to shifts in their economic opportunity costs, we're likely to see changes in industry concentrations. It's a game of cat and mouse, and the landscape is ever-changing.

Ransomware Attack Vectors:

As the unit economics of cyber extortion shift, attack vectors and TTPs shift. Threat actors are increasingly “living off the land”, but demonstrated by CloP, the fields are far more fertile for some groups vs. others. Here are the updated attack vector numbers:

Coveware-Ransomware-Attack-Vectors-Trend-Graph

The upshot

The world of ransomware is complex and ever-evolving. While monetization rates are falling, the stakes are rising, with higher ransom payments and more sophisticated attacks. It's a reminder that investing in security, continuity assets, and security awareness training is more crucial than ever. Full recommended blog post at Coveware.

Let's stay safe out there. Train those users, because the #1 ransomware attack vector is... phishing.

A Master Class on IT Security: Roger Grimes Teaches Ransomware Mitigation

Cyber-criminals have become thoughtful about ransomware attacks; taking time to maximize your organization’s potential damage and their payoff. Protecting your network from this growing threat is more important than ever

Join Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, for this thought-provoking webinar to learn what you can do to prevent, detect, and mitigate ransomware. You'll learn:

How to detect ransomware programs, even those that are highly stealthy

Official recommendations from the Cybersecurity & Infrastructure Security Agency (CISA)

The policies, technical controls, and education you need to stop ransomware in its tracks

Why good backups (even offline backups) no longer save you from ransomware