A global survey that investigated the experience of ransomware victims highlights the lack of trustworthiness of ransomware actors, as in most cases of paying the ransom, the extortion simply continues. This is not a surprising or new discovery, but when seeing it reflected in actual statistics, one can appreciate the scale of the problem in full. The survey was conducted by cybersecurity specialist Venafi, and the most important findings that emerged from the respondents were the following:
- 18% of victims who paid the ransom still had their data exposed on the dark web.
- 8% refused to pay the ransom, and the attackers tried to extort their customers.
- 35% of victims paid the ransom but were still unable to retrieve their data.
As for the ransomware actor extortion tactics, these are summarized as follows:
- 83% of all successful ransomware attacks featured double and triple extortion.
- 38% of ransomware attacks threatened to use stolen data to extort customers.
- 35% of ransomware attacks threatened to expose stolen data on the dark web.
- 32% of attacks threatened to directly inform the victim’s customers of the data breach incident.
The lack of credibility in ransomware actors’ empty promises to their victims stems from several factors. First, most Ransomware-as-a-Service (RaaS) operations are short-lived, so they simply look to maximize their profits in the shortest possible period. As such, they don’t care about long-term reputation. Secondly, many renegade affiliates don’t follow the rules set by the core ransomware operators, and enforcing these rules is rarely considered a priority for these groups. Thirdly, even if the data isn’t leaked right away, the remnants of data breaches may be maintained for a long time in multiple threat actor systems and almost always find their way to the broader cyber-crime community sooner or later.
As Venafi underlines in its report, paying the ransom is only motivating crooks to return for more, as it sends the signal that the victim sees this as the easiest way out of trouble, which is nothing but an illusion. “Organizations are unprepared to defend against ransomware that exfiltrates data, so they pay the ransom, but this only motivates attackers to seek more,” comments Venafi’s vice president, Kevin Bocek. “The bad news is that attackers are following through on extortion threats, even after the ransom has been paid! This means CISOs are under much more pressure because a successful attack is much more likely to create a full-scale service disruption that affects customers.”
The findings above match the findings of another report published by Proofpoint yesterday, which presents the results of a survey of thousands of employees and hundreds of IT professionals across seven countries. 70% of the survey participants report having experienced at least one ransomware attack in 2021. 60% of them opted to negotiate with the attackers, and many of them ended up paying ransom more than once.
The best approach for victims is not to give in to ransomware demands but instead restore systems and data from backups and alert the law enforcement and data protection authorities of the incident. All else is futile considering that all scenarios eventually lead to the same result, with the only difference being the enrichment of ransomware actors and the feeding of their motivation to continue.