Ransomware payments are declining as more victims refuse to pay

The average ransom payment to hackers decreased by more than a third in the fourth quarter of 2020 as more victims opted not to pay up.

That’s according to cyber security company Coveware, which found a sharp decline in the average and median payments that ransomware victims paid to attackers.

Coveware’s data, gathered from ransomware incidents the company helped companies respond to in Q4 2020, showed that average ransomware payments decreased by 34% to $154,000 (around £112,800) while median payments dropped 55% from $110,532 (£81,000) to $49,450 (£36,000) over the same period.

The findings indicate a reversal of a trend that saw average ransom payments steadily increase since at least Q4 2018. There was even an increase between the first and third quarter of last year, with average payments increasing from $111,605 (£81,000) to $233,817 (£171,000).

Coveware’s data also showed that fewer organisations gave in to cyber extortion demands if they had a chance to recover data from backups during the final quarter of 2020. Although seven in ten of the ransomware attacks responded to last quarter involved data exfiltration and the use of stolen data as leverage to try and force victims to pay, Coveware noted that victims are beginning to realise that doing so is unlikely to prevent the release of stolen data.

Around 60% of ransomware victims opted to pay in Q4, according to the findings, compared with almost 75% in the previous quarter, and Coveware noted that it continues to witness signs that stolen data is not deleted or purged after payment.

"Moreover, we are seeing groups take measures to fabricate data exfiltration in cases where it did not occur," the security firm said. "These tricks and tactics put a premium on ensuring that threats are thoroughly validated."

Phishing emails and exploitation of Remote Desktop Protocol (RDP) are the most common methods for ransomware attacks, the cyber security company found.

This is the first quarter since Coveware has been tracking data that RDP compromise has not been the primary attack vector. The company said that malware such as Trickbot and Emotet favour widespread phishing campaigns as their primary delivery mechanism.

"Unlike ransomware malware, these threats possess worming capabilities that allow them to stealthily proliferate through a high volume of enterprise networks," Coveware commented. "There they lay down secure footholds that are sold further down the supply chain to ransomware actors. We expect a reshuffling of attack vectors to occur in the wake of the Emotet takedown."