Ransomware actors have encountered a rocky start in 2024, as indicated by statistics from cybersecurity firm Coveware. Companies are increasingly refusing to acquiesce to extortion demands, resulting in a record low of only 28% of companies paying ransom in the first quarter of the year. This figure marks a notable decrease from the 29% reported in the previous quarter of 2023. Coveware's data underscores a consistent trend since early 2019, showing a diminishing rate of ransom payments.
The decline in ransom payments can be attributed to several factors. Organizations are implementing more sophisticated protective measures to fortify their defenses against ransomware attacks. Additionally, mounting legal pressure discourages companies from capitulating to cybercriminals' financial demands. Moreover, ransomware operators frequently breach promises not to disclose or sell stolen data even after receiving payment, further eroding trust in the extortion process.
Despite the decrease in the payment rate, the overall amount paid to ransomware actors has surged to unprecedented levels. According to a report by Chainalysis, ransomware payments reached a staggering $1.1 billion in the previous year. This surge in payments is fueled by ransomware gangs targeting a larger number of organizations and demanding higher ransom amounts to prevent the exposure of stolen data and provide victims with decryption keys.
In the first quarter of 2024, Coveware reports a significant 32% quarter-over-quarter drop in the average ransom payment, which now stands at $381,980. Conversely, the median ransom payment has seen a 25% quarter-over-quarter increase, reaching $250,000. This simultaneous decrease in the average and rise in the median ransom payments suggest a shift towards more moderate ransom demands, with fewer high-value targets succumbing to extortion.
Examining the initial infiltration methods used by ransomware operators reveals a rising number of cases where the method is unknown, accounting for nearly half of all reported cases in the first quarter of 2024.
Among the identified methods, remote access and vulnerability exploitation play a significant role, with certain CVE flaws being widely exploited by ransomware operators.
The recent disruption of the LockBit operation by the FBI has had a profound impact on the ransomware landscape, reflected in Coveware's attack statistics. This law enforcement action has not only disrupted major ransomware gangs but has also led to payment disputes and exit scams, such as those witnessed with BlackCat/ALPHV.
Furthermore, these law enforcement operations have eroded the confidence of ransomware affiliates in ransomware-as-a-service (RaaS) operators, prompting many affiliates to operate independently. Some affiliates have even opted to exit cybercrime altogether, fearing the increased risk of legal consequences and the potential loss of income.
Amidst these developments, one ransomware strain stands out as particularly active: Akira.
This strain has remained the most active ransomware in terms of attacks launched in the first quarter of the year, maintaining its position for nine consecutive months. According to the FBI, Akira is responsible for breaches in at least 250 organizations and has amassed $42 million in ransom payments.
Implementing robust protective measures, staying informed about emerging threats, and fostering collaboration with law enforcement agencies are essential strategies for mitigating the risks posed by ransomware attacks and safeguarding sensitive data from malicious actors.