In the second quarter of 2023, Coveware reports a drop in the rate of ransomware victims choosing to pay, falling to a record low of 34%. This decrease reflects the growing efforts of companies to invest in improved security measures, continuity assets, and incident response training.

key points

1. Record Low Payment Rates

  • The percentage of ransomware victims choosing to pay the ransom has dropped to an all-time low of 34%.

2. Cyber Extortion Opportunity Cost Curve

  • This model helps to understand the shifts within the cyber extortion economy by comparing different extortion strategies and their outcomes.

3. Attack Methods and Their Impact

  • Low-Impact Attack: Using previously leaked credentials to steal a single file from a small business. This results in very low costs and similarly low potential profits.
  • High-Cost Attack: Involves spending a large sum on acquiring a 0-day vulnerability, followed by weeks of reconnaissance and lateral movement. This results in a very high ransom demand to recoup costs and make a profit.

4. Types of Attacks

  • Phantom Incidents: Low-cost, low-profit mass orchestrated social engineering attempts that hope to trick victims into paying small ransoms.
  • Database Deletion ‘Spray’ Attacks: A level above phantom incidents with the actual database being wiped, presenting a slightly higher risk and potential profit.
  • Data Exfiltration Only (DXF) Attacks: Threat actors steal data and extort victims over its public release, resulting in medium potential profits but also considerable risk.

5. Ransom Payment Trends

  • The average ransom payment has increased dramatically to $740,144, a 126% increase from Q1 2023.
  • The median ransom payment rose to $190,424, up 20% from Q1 2023.

6. Encryption Ransomware

  • These attacks involve substantial effort and cost on the part of the threat actors but also cause significant damage to the victims.
  • Despite the high costs involved, this type of attack has the highest expected profit.

However, despite this promising trend, threat actors and the cyber extortion economy continue to evolve their attack strategies and tactics. This change is evident in the use of the Cyber Extortion Opportunity Cost Curve, a model used to understand the shifts in the cyber extortion economy by studying various extortion strategies and their effects on the economy.

The model considers the total expected profit for a threat actor and how this might be influenced by various attack methods. For example, a low-impact attack using leaked credentials to steal a single file incurs minimal cost but similarly yields low potential profit. On the other hand, a high-cost attack involving acquisition of a 0-day vulnerability, followed by weeks of reconnaissance and lateral movement, could result in a much larger ransom demand, aiming to cover the incurred costs and generate profit.

Phantom incidents, a form of mass orchestrated social engineering attempts, yield low profits but are also low cost, and therefore remain economically viable. Similarly, database deletion ‘spray’ attacks are a step above phantom incidents in both potential profit and risk, with the database in question actually being wiped.

Data exfiltration only (DXF) attacks involve the theft of data with the threat of public release, and the potential profit is medium, yet this type of attack experienced a significant shift in the second quarter. The success rate of extorting victims in DXF-only attacks has been decreasing, despite the rise in ransom demands, as evidenced by the CloP ransomware group and their MOVEit campaign.

In Q2 2023, the average ransom payment jumped to $740,144, a 126% increase from Q1, while the median ransom payment rose to $190,424, a 20% increase from Q1. Despite these increases, the number of victims who negotiated or paid the ransom was minuscule, indicating a strategic shift in response to threat actor behavior.

Lastly, encryption ransomware, which involves considerable effort and cost from threat actors, but also causes significant impact to victims, continues to yield the highest expected profit for threat actors. The comprehensive report on these trends can be found on the Coveware website.