Ransomware payment rates drop to new low – only 29% of victims are forking over cash – Source: go.theregister.com

Trusting a ransomware crew to honor a deal isn’t the greatest idea, and the world seems to be waking up to that. The number of victims who chose to pay dropped to a new low of 29 percent in the last quarter of 2023.

The data from ransomware response and negotiation company Coveware continues a downward trend since it began monitoring in 2019, when it said the rate of companies choosing to pay ransomware actors was a whopping 85 percent. The reason for the change, Coveware founder and CEO Bill Siegel states in the company’s latest quarterly report, comes down to awareness. 

Not only are more ransomware victims prepared for the inevitability of attacks by keeping better backups, Siegel points out, but several years of ransomware making top headlines – and associated stories of payments amounting to nothing – have led to a reluctance to trust data kidnappers.

There’s just no honor among thieves, it seems – even digital ones. 

“Q4 was rife with examples of how data assurances can fail, even when interacting with well-known ‘brand established’ ransomware groups,” Siegel says. “Threat actors cannot be trusted to prevent ongoing misuse/publication of stolen data, and … payments to them for these imaginary assurances have zero if not sub-zero value.”

Along with a decrease in overall ransomware payments, Coveware found that payments for data exfiltration-only incidents also hit an all-time low since it began tracking them in 2022. While 53 percent of companies were paying such demands two years ago, only 26 percent did so in the fourth quarter of 2023.

Further proof a ransomware payment ban is a bad move

Coveware’s takeaway is that the world is making progress in dealing with ransomware that a payment ban would completely undo.

“A ban would signal that as a country, we are admitting that we are incapable of defending ourselves,” Siegel states. He adds that early experiments with payment bans have been largely ineffective. The report cites a Florida ban on ransomware payments that took effect on July 1, 2022, noting that “we have not yet seen a decline in attacks inside [Florida and other] states” that have enacted a payment ban, like North Carolina.

• US officials close to persuading allies to not pay off ransomware crooks
• Ransomware payment ban: Wrong idea at the wrong time
• Formal ban on ransomware payments? Asking orgs nicely to not cough up ain’t working
• Be honest. Would you pay off a ransomware crew?

Instead, Siegel offered reporting requirements, like those enacted by the US Securities and Exchange Commission and the Federal Trade Commission, as a major reason for the progress. If a nationwide payment ban were enacted, that progress would be unpicked, the report argues.

“There would still be demand for ransom payment services because people and organizations will do what they must to survive,” says Siegel. Enact a payment ban, and compliance with reporting rules may decrease as companies make payments through offshore accounts and “re-order the flow of money through a new illegal market of service providers.”

Like ransomware criminals themselves, illegal service providers could easily take the money and run.

Safe harbors, encouraging companies to work with law enforcement, and more awareness of how to stay safe is the key, Coveware insists.

“Greater costs must be imposed on the threat actors by changing the incentives of the victims,” Siegel says in the report. “Carrots and sticks are necessary.” ®