Ransomware statistics from the second quarter of the year show that the ransoms paid to extortionists have dropped in value, a trend that continues since the last quarter of 2021. Ransomware remediation firm Coveware recently published a report with ransomware data from the second quarter of 2022 showing that although the average payment increased, the median value recorded a significant drop. In Q2 2022, the average ransom payment was $228,125 (up by 8% from Q1 2022). However, the median ransom payment was $36,360, a steep fall of 51% compared to the previous quarter. This continues a downward trend since Q4 2021, which represented a peak in ransomware payments both average ($332,168) and median ($117,116). “This trend reflects the shift of RaaS affiliates and developers towards the mid-market where the risk to reward profile of attack is more consistent and less risky than high profile attacks,” comments Coveware in the report. “We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts.” The median size of the companies targeted this quarter dropped even further, with the actors looking for smaller, yet financially healthy organizations to disrupt, the company says. In terms of the most active ransomware groups over the past quarter, statistics that Coveware collected show that BlackCat tops the list with 16.9% of the published attacks, followed by LockBit, which accounted for 13.1%. Another new trend observed by Coveware is the creation of many smaller Ransomware-as-a-Service (RaaS) operations that draw affiliates from recently defunct syndicates and perform lower-tier, opportunistic attacks. The double extortion method, which threatens with leaking files stolen before being encrypted, continued this quarter as 86% of the reported cases involved this tactic. Coveware underlines that in many cases, despite receiving the ransom payment, the threat actors continued the extortion or leaked the stolen files anyway. In multiple cases, data exfiltration was the main extortion method for many attackers, meaning that many of the incidents didn’t involve file encryption. This resulted in the average downtime from ransomware attacks dropping to 24 days, an 8% decrease compared to Q1 2022.
When a ransomware incident happens, it is not generally advised to pay the ransom as it only emboldens and strengthens attackers to pursue more victims. To best prepare for an attack, organizations should develop an incident response plan that includes Identifying the threat, disabling affected systems, having safe and secure backups, and documenting contact information for appropriate law enforcement and support agencies.