Coveware: Median ransomware payment down 40% in Q2 2021

Coveware CEO Bill Siegel said that the efficacy of using data leak threats to obtain ransomware payments has gone down because 'you don't get anything in return when you pay.'

The median ransomware payment declined 40% between the first and second quarter of this year, according to new research from incident response vendor Coveware.

In a blog post Friday, titled "Q2 Ransom Payment Amounts Decline as Ransomware becomes a National Security Priority," Coveware included new ransomware statistics as well as various observations about the present and future state of ransomware as of the second quarter of 2021.

Coveware highlighted the various efforts by politicians and law enforcement to curb the spread of ransomware, though these are presented in the blog as having a greater potential future impact rather than an immediate one. The rest of the report was dedicated to trends and statistics about the last few months in ransomware activity.

Potentially the most striking of these statistics is that the median ransom payment in Q2 2021 was $47,008, down 40% from Q1. Meanwhile, the average ransom payment was $136,576, down 38% from the first quarter. The declines indicate a reversal of the trend of increasing ransom demands and payments in recent years.

The blog primarily attributes this decrease to "a growing number of disparate Ransomware-as-a-Service brands that have proliferated recently, and which have diluted the concentration of attacks controlled by just a few." Coveware also mentioned the lower prevalence of high-demand groups like Ryuk and Clop, as well as the insight that "the efficacy of data exfiltration as an overall tactic appears to also be diminishing" since 81% of Q2 ransomware attacks included threats to leak stolen data -- up 5% from Q1.

Coveware CEO and co-founder Bill Siegel said paying to prevent a leak of sensitive data doesn't hold much value, and organizations are now realizing this.

Victims are starting to recognize that you don't get anything in return when you pay to prevent a leak.
Bill SiegelCEO and co-founder, Coveware

"Victims are starting to recognize that you don't get anything in return when you pay to prevent a leak," Siegel told SearchSecurity in an email. "Unlike a decryption key, which may actually unlock data that would otherwise be unrecoverable, paying to prevent a leak actually has no value to the victim as they are obligated to do all their mandatory notifications regardless of if their data is posted to a leak site or not. Once a threat actor removes data from their network, they have a liability to deal with. Paying just increases their own costs."

The average organization downtime following ransomware attacks also decreased in Q2 to 23 days, a 15% drop. Coveware chalked this decrease up to "a higher proportion of attacks that only involved data theft (and thus caused no material business interruption)."

Other notable trends from the blog include the list of the most common ransomware variants and most common attack vectors. Sodinokibi, also known as REvil, and Conti V2 were the most prominent variants in Q2, unchanged from Q1 (though REvil's recent disappearance may change this in future quarters); the most common attack vectors were Remote Desktop Protocol compromises and email phishing, though the use of software vulnerabilities continues to trend upward in prominence.

SearchSecurity asked Siegel about whether organizations are getting better at preparing for ransomware, whether it be cold storage or more resources placed into user education.

"It is slow, but I think it is changing," he said. "This is not something we are going to notice overnight, but I think 12 months from now it will be different (for the better)."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Accenture responds to LockBit ransomware attack

New ransomware crew hammers on PrintNightmare bugs

4 emerging ransomware groups take center stage

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing