Coveware: Double-extortion ransomware attacks fell in Q1

Double-extortion ransomware attacks were down in the first quarter of 2022, according to new research published by incident response vendor Coveware.

Coveware's report, published Tuesday, focused on ransomware trends observed in the first quarter of this year. At the center are double-extortion ransomware attacks, the practice of a threat actor using both encrypted data and the threat of leaking stolen data to extort ransom payments out of victims.

Coveware said 77% of ransomware cases it tracked utilized double-extortion tactics, down from 84% in Q4 of 2021. Coveware suggested in its report that this will likely continue due to threat actors looking for less disruptive ways to extort money from victims, one way being attacks that threaten to leak data without encrypting it.

"One of the lessons learned from the pipeline attacks is that massively disrupting very large companies can bring law enforcement attention and even geopolitical attention from an attacker's home country," the report read. "Data theft without encryption results in no operational disruption, but preserves the ability of the threat actor to extort the victim."

Other key data points in the quarterly report showcased positive trends in the fight against ransomware. Coveware said 46% of tracked victims paid a ransom to threat actors in Q1 of 2022. While this is up from 42% the previous quarter, the report pointed out that this is down from 85% in Q1 2019.

Coveware said that "this is what progress looks like against ransomware."

"It is slow. There is no single variable that explains it, but it is fact," the report read. "This fight will not be over by next quarter, but if this trend continues, the frequency and severity of this problem may look very different several years from now. In an industry where it can sometimes feel quite futile, our message to IR first responders, defenders, and LE [law enforcement] agents is … persistence will pay off for the good guys in the long term."

The average and median ransomware payments are also down this quarter. The average ransom payment was $211,529 (down 34% from Q4 2021) and the median was $73,906 (down 37%). Coveware attributed the drops to several factors, including fewer companies paying, a "diffusion" of threat actors and fewer large enterprises being attacked.

Coveware isn't the only security vendor to report a decline in ransom payments. In a recent report on ransomware trends, Check Point Software Technologies and cyber-risk quantification provider Kovrr also observed a steep decline over the past two years in the percentage of victims that paid ransomware.

While there are still so called "big game" attacks against large enterprises, the Coveware report said ransomware "continues to predominantly be a small/medium sized business problem." Coveware said it expects this to continue due to an effort to avoid law enforcement.

"We expect the mid market to continue to bear the brunt of attacks as threat actors try to find a balance between NOT attacking companies so large as to end up in the papers, but also NOT attacking companies so small that they are not able to earn sufficient ransom proceeds," the report read.

Alexander Culafi is a writer, journalist and podcaster based in Boston.