Coveware: Median ransom payments dropped 51% in Q2

Fewer companies paying ransoms coupled with a transition among ransomware-as-a-service groups has led to a steep decline in the median payment.

In a blog post Thursday, Coveware examined ransomware payment trends for the second quarter, including a 51% drop in the median from the previous quarter to just over $36,000. The incident response vendor attributed it to a shift in victim targeting among RaaS groups to the midmarket, which incurs less risk and potentially more reward than high-profile attacks.

While the average payment increased from Q1 to $228,125, overall, it appears efforts to dissuade ransom payments are working, according to Coveware.

The company emphasized that even victims of data exfiltration-only attacks can contribute to a decline in ransomware attacks by not paying.

"We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts," Coveware wrote in the blog post.

Just as large companies have changed tactics on the heels of prominent attacks by investing more in defensive tools and implementing segmentation strategies, RaaS groups are adjusting as well. Over the last year, Coveware observed a significant change in the abilities of ransomware strains.

While variants capable of encrypting non-Windows operating systems were once the minority, now "almost all RaaS variants have stable Windows, Linux and ESXI versions and target every server, regardless of operating system."

Additionally, ransomware groups are disproportionately attacking small to medium- sized businesses compared to large enterprises because they are less expensive to attack due to limited resources and investments in cybersecurity.

Another noteworthy change among RaaS operators occurred in response to increased law enforcement effort.

"Ransomware affiliates seem to have become more leery of involving themselves, or their RaaS brand, in high profile attacks that could lead to increased geopolitical pressure and attention from law enforcement agencies," the blog post read.

For example, Coveware noted the shutdown of DarkSide and Conti following law enforcement action. Darkside was responsible for the high-profile attack on  Colonial Pipeline Company, where authorities recovered over $2 million of the paid ransom by following the cryptocurrency trail.

Conti was behind the attack on the Costa Rican government in April that resulted in a $10 million bounty offered by the U.S. government. While it was not confirmed if the bounty offering was successful, Conti did shut down its website in May.

"The looming question 'What will happen once Conti disappears?' was answered rather quickly; nothing really changed except for the name plates," the blog read.

Conti all but disappeared from the ransomware landscape, with only one reported attack in June, according to research by NCC Group. The research, published earlier this month, showed a decrease in ransomware attacks attributed to the rebranding and transition of Conti affiliates.

Both NCC Group and Coveware observed members transitioning to other groups such as Black Basta and Hive, as well as the most commonly observed strain in Q2, BlackCat. Conti dropped three spots in the ranking from Q1.

While Coveware did observe some positive changes in ransomware payments during Q2, nearly 90% of cases involved a threat of leaking stolen data.

"The proportion of companies that succumb to data exfiltration continues to confound and frustrate Coveware and the IR industry at large," the blog read. "During Q2, we saw continued evidence that threat actors do not honor their word as it relates to destroying exfiltrated data."