In the last quarter of 2023, the number of ransomware victims paying ransom demands fell to 29%, a record low, according to ransomware negotiation firm Coveware. The trend began to unfold in mid-2021, with the payout ratio reaching 85% in early 2019 before falling to 46%.
ransom payment rate
Source: Coveware
According to Coveware, the reasons for this continued decline are multi-factorial, including businesses being better prepared, a lack of trust in cybercriminals' promises not to release stolen data, and legal pressure in some regions where paying ransoms is illegal.
Coveware found that even if data was stolen in a cyberattack, the payout rate last quarter was only 26%.
Not only have fewer victims paid ransomware, but the actual amount of ransom paid has also decreased.
Coveware said the average ransom payment in the fourth quarter of 2023 was $568,705, a 33% decrease from the previous quarter, while the median ransom payment was $200,000.
Source: Coveware
The median size of victim organizations declined in Q4'23, reversing a trend that began in Q2'22, when attackers anticipated a drop in payout rates and therefore chose to attack larger companies in order to obtain more substantial payouts to make up the difference.
Source: Coveware
In addition to the above statistics, Coveware's report also touches on the issue of controversial ransom payment bans and how these bans impact targeted organizations and the cybercriminal community.
As the cybersecurity firm explains, while a ban may seem like a good idea in theory, in practice it's far from simple.
Coveware believes that if the United States or other well-targeted countries impose national bans, businesses are likely to stop reporting these incidents to authorities and instead use shady service providers as intermediaries to resolve problems.
The company predicted that if such a law were enacted, a massive illegal market would be created overnight, undoing all the progress made in bringing victims closer to law enforcement.
Coveware's report states: "A significant number of these victims will quickly calculate the risk (risk of serious damage to the company vs. fines and penalties) and then continue to navigate the illicit service provider market. To be sure, some companies will still report, but any victim who even considers paying or chooses to pay will absolutely remain silent because if they report, they will be admitting a crime."
Instead, Coveware recommends doubling down on some of the existing mechanisms and initiatives that make profiting from ransomware increasingly difficult, including:
Strengthen reporting frameworks and due diligence on ransom payments, encouraging detailed disclosures and decision-making frameworks.
Provides a safe harbor for proactive reporting and compliance while proposing mandatory reporting requirements to facilitate cooperation with law enforcement.
Impose hefty fines for non-disclosure of incidents while avoiding personal liability for CISOs to keep the talent pool safe.
Emphasize long-term cooperation with law enforcement and clarify long-term reporting obligations to enable effective investigations.
Focus on strategic measures to make paying the ransom less attractive and difficult, thereby weakening the viability of ransomware as a profitable attack vector.
Unfortunately, as we enter 2024, ransomware remains a major challenge to global cybersecurity and is extremely resistant to existing solutions.
Nonetheless, the observed decrease in ransom payment rates is a positive trend and indicates that concerted efforts to combat this problem are steering the situation in the right direction.