Ransomware in Q1 2024: Frequency, size of payments trending downwards, SMBs beware!

/in


More organizations hit by ransomware gangs are starting to realize that it doesn’t pay to pay up: “In Q1 2024, the proportion of victims that chose to pay touched a new record low of 28%,” ransomware incident response firm Coveware has found.

Ransomware Q1 2024

Victim organizations are increasingly able to withstand an encryption attack and restore operations without the need for a decryption key, they said, and the stolen data is often leaked or traded even after the victims have paid the ransom, which repeatedly proves that paying up is no guarantee.

“LockBit was found to still be holding the stolen data of victims that had paid a ransom, and we have also seen prior Hive victims that had paid the extortion, have their data posted on the Hunters International leak site (a reboot / rebrand of Hive),” the company said, noting that “future victims of data exfiltration extortion are getting more evidence daily that payments to suppress leaks have little efficacy in the short and long term.”

Recent events are changing the ransomware ecosystem

With the distruption (temporary or otherwise) of big players like LockBit and Alphv/Blackcat and their attempts to cheat their affiliates of their due share for a successful attack, many affiliates have started searching for a safer port in the storm and smaller ransomware-as-a-service (RaaS) groups are trying to entice them to join their network.

GuidePoint researchers have recently advised ransomware victims (mostly small and medium size businesses) to think twice before paying off smaller/immature RaaS groups as they:

  • Have less to lose if they don’t keep their word
  • Often exaggerate their claims
  • Often re-extort their victims.

Sophos X-Ops has also discovered 19 cheap, crudely constructed ransomware variants that are being sold primarily on dark web forums to wannabe cybercriminals that want to avoid sharing their profits with (and getting ripped off by) RaaS gangs.

“These types of ransomware variants aren’t going to command the million-dollar ransoms like Cl0p and Lockbit but they can indeed be effective against SMBs, and for many attackers beginning their ‘careers,’ that’s enough,” says Christopher Budd, Sophos’…

Source…