Ransomware payments are declining as more victims refuse to pay
Coveware data shows that the average payment decreased by 34% to £112,800 in the fourth quarter of 2020
The average ransom payment to hackers decreased by more than a third in the fourth quarter of 2020 as more victims opted not to pay up.
That’s according to cyber security company Coveware, which found a sharp decline in the average and median payments that ransomware victims paid to attackers.
UK ransomware attacks surged 80% in latest quarter The truth about ransomware Ryuk ransomware earnings top $150 million
Coveware’s data, gathered from ransomware incidents the company helped companies respond to in Q4 2020, showed that average ransomware payments decreased by 34% to $154,000 (around £112,800) while median payments dropped 55% from $110,532 (£81,000) to $49,450 (£36,000) over the same period.
The findings indicate a reversal of a trend that saw average ransom payments steadily increase since at least Q4 2018. There was even an increase between the first and third quarter of last year, with average payments increasing from $111,605 (£81,000) to $233,817 (£171,000).
Coveware’s data also showed that fewer organisations gave in to cyber extortion demands if they had a chance to recover data from backups during the final quarter of 2020. Although seven in ten of the ransomware attacks responded to last quarter involved data exfiltration and the use of stolen data as leverage to try and force victims to pay, Coveware noted that victims are beginning to realise that doing so is unlikely to prevent the release of stolen data.
Around 60% of ransomware victims opted to pay in Q4, according to the findings, compared with almost 75% in the previous quarter, and Coveware noted that it continues to witness signs that stolen data is not deleted or purged after payment.
RELATED RESOURCE
The total economic impact of IBM Security Verify
Cost savings and business benefits enabled by IBM Security Verify
"Moreover, we are seeing groups take measures to fabricate data exfiltration in cases where it did not occur," the security firm said. "These tricks and tactics put a premium on ensuring that threats are thoroughly validated."
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Phishing emails and exploitation of Remote Desktop Protocol (RDP) are the most common methods for ransomware attacks, the cyber security company found.
This is the first quarter since Coveware has been tracking data that RDP compromise has not been the primary attack vector. The company said that malware such as Trickbot and Emotet favour widespread phishing campaigns as their primary delivery mechanism.
"Unlike ransomware malware, these threats possess worming capabilities that allow them to stealthily proliferate through a high volume of enterprise networks," Coveware commented. "There they lay down secure footholds that are sold further down the supply chain to ransomware actors. We expect a reshuffling of attack vectors to occur in the wake of the Emotet takedown."
Carly Page is a freelance technology journalist, editor and copywriter specialising in cyber security, B2B, and consumer technology. She has more than a decade of experience in the industry and has written for a range of publications including Forbes, IT Pro, the Metro, TechRadar, TechCrunch, TES, and WIRED, as well as offering copywriting and consultancy services.
Prior to entering the weird and wonderful world of freelance journalism, Carly served as editor of tech tabloid The INQUIRER from 2012 and 2019. She is also a graduate of the University of Lincoln, where she earned a degree in journalism.
You can check out Carly's ramblings (and her dog) on Twitter, or email her at hello@carlypagewrites.co.uk.
-
Working with the enemy: Ransomware negotiator-turned cyber criminal jailed after working with hackers to extort clientsNews Angelo Martino was supposed to be negotiating on behalf of victims, but was secretly working for ransomware operators
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation

