Digital Transactions Authoritative, insightful and timely information for payments professionals
Despite a spike in ransomware attacks, fewer companies are paying ransom demands to free their data. A report from ransomware-remediation firm, Coveware Inc. reveals that just 28% of companies hit by a ransomware attack during the first quarter of 2024 paid, a record low.
The trend comes as ransomware attacks soared 130% in January compared to the same month last year.
That fewer companies are paying ransomware demands is part of an ongoing decline that has come as companies find ways to defeat online intruders, according to Westport, Conn.-based Coverware. During the fourth quarter of 2023, for example, just 29% of companies targeted by ransomware attacks paid, the company says.
One reason fewer companies are paying ransomware demands is the implementation of stronger cyber defenses among businesses of all sizes. Stronger defenses are making it possible for companies to “withstand an encryption attack, and restore operations without the need for a threat actor decryption key,” the report says.
Ransomware is a type of malware that encrypts a company’s data, preventing the company from accessing it. Criminals launching ransomware attacks offer to provide a decryption key to unlock the data in exchange for a ransom payment. Criminals will further pressure victims to pay by threatening to publicly release their data if the ransom is not paid. Criminals typically demand the ransom be paid in Bitcoin, which makes it harder for law-enforcement agencies to trace where and to whom the money goes.
Two factors driving the decrease in the number of companies willing to pay ransomware demands are directives from the FBI not to pay ransomware demands and requirements by insurance companies that spell out the cyber defenses companies must have in place to protect against ransomware attacks, says David Mattei, a strategic advisor for Datos Insights.
“The FBI is advising companies that if the monetary incentive for ransomware attacks is taken away by refusing to pay, cybercriminals will move on [to other scams],” says Mattei. “We are also now seeing insurance companies spell out cyber defense requirements and best practices to protect against cyberattacks.”
Also, victims are realizing criminals cannot be trusted even if the ransom is paid. Many criminal organizations will renege on their promise not to publish data after they are paid the ransom, according to Coveware.
“We saw a continuation of long-tailed data-exfiltration defaults by threat actors in [the first quarter], i.e., posting of information on a leak site after payment or ‘hostage trading’ with other groups or individuals, which adds further evidence to the file on the lack of benefits to pay for suppressing a data leak or any confidence in a criminal actor keeping their word,” the Coveware report says.
“A lot of companies are realizing that if a criminal truly has their data, the cat’s out of the bag anyway and paying the ransom won’t guarantee the information [won’t be] resold or made public, says Mattei.
The Coveware report found that just 23% of ransomware victims opted to pay when their incident only involved the publication of stolen data.
“Bolstering the decision against payment has been the resurfacing of previously stolen data, that victims had previously paid to suppress,” the report says. “Much like the lessons being learned by ransomware affiliates, future victims of data exfiltration extortion are getting more evidence daily that payments to suppress leaks have little efficacy in the short and long term.”
