The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Only 28% of Ransomware Victims Choose to Pay Ransom

Posted By on Apr 22, 2024

According to the Q1, 2024 ransomware report from the ransomware remediation firm Coveware, ransom payments have fallen to a record low with only 28% of victims opting to pay the ransom to recover files and/or prevent the exposure of stolen data. In Q1, 2019, more than 80% of victims of ransomware attacks paid the ransom, but the percentage has been steadily falling, with only 29% of victims paying up in Q4, 2023, and just 28% in Q1, 2024.

Coveware suggests several reasons for the decline in payments, including better preparation and more advanced protective measures that allow victims to recover files without having to pay the ransom, legal pressure on victims not to give in to demands, and growing distrust of ransom groups. There have been an increasing number of attacks where payment has been made only for the attackers to continue to leak data or trade stolen data with other groups. For instance, the recent Blackcat ransomware attack on Change Healthcare saw the operators pocket the $22 million ransom payment and not pay the affiliate, who switched to the RansomHub group, which started leaking the data to pressure Change Healthcare into paying another ransom payment.

Coveware also reports that the confidence of ransomware affiliates has been shaken by recent law enforcement operations against LockBit and BlackCat. While groups were able to recover from the takedowns, the operations demonstrated that ransomware groups are not beyond the reach of Western law enforcement agencies. Further, the actions of the groups following the attacks have not helped to restore affiliates’ confidence. Both groups have had public disputes with affiliates and refused to pay them their cut of the ransoms, and coupled with the risk of having their identities discovered by law enforcement, many have chosen to quit conducting attacks for those groups and potentially quit ransomware altogether.

Based on the attacks where Coveware has been engaged to assist with recovery, Akira is now the dominant group with a market share of 21%, followed by Blackbasta and Lockbit which each have a 9% share, medusa, Phobos, and BlackCat with 6%, and Rhysida, BlackSuit and Inc Ransom with a 4% market share. BlackBasta has returned to the list of top ransomware groups, which suggests that affiliates have been leaving BlackCat and Lockbit, while the increase in Phobos attacks suggests that some affiliates are choosing to set up their own operations.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

There has been a trend for increasing ransom payments since 2019 and a sharp increase in payments in Q1, 2023; however, by Q3, 2024, ransom payments started to fall. That fall has continued, with Q1, 2024 seeing an average payment of $381,980, down 32% from the previous quarter. Median payments have been increasing slowly and jumped by 25% to $250,000 in Q1, 2024. This is due to ransomware groups demanding more reasonable payments to increase the likelihood of being paid.

The threat of publication of stolen data is often enough to get victims to pay up. 23% of victims who were only faced with the threat of publication of their data chose to pay the ransom in Q1; however, there is no guarantee that the stolen data will be deleted. The law enforcement disruption of LockBit confirmed that the group still held a lot of data from attacks where the victims had paid to have their data deleted. There have been several cases where payment has been made to one group, only for the data to be provided to another ransomware group for re-extortion.

Coveware tracks the ransomware vectors used to gain initial access to networks; although that is becoming increasingly difficult, with the initial access vector unclear in more than 40% of Q1, 2024 attacks. Remote access compromise is the most common of the confirmed attack vectors, with software vulnerabilities and phishing both in decline. It is also common for multiple attack vectors to be used to achieve an extortion-level impact. While few sectors have escaped ransomware attacks, in Q1, 2024, healthcare was the worst affected industry, accounting for 18.7% of attacks, followed by professional services (17.8%), the public sector (11.2%), and consumer services (10.3%).

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist