Coveware: Rate of victims paying ransom continues to plummet

Incident response firm Coveware said just 34% of ransomware attacks resulted in a victim paying in the second quarter of 2023, which the company said represented a "record low."

In a blog post on Friday, Coveware said the drop represents "compounding effects that we have noted previously of companies continuing to invest in security, continuity assets, and incident response training." The figure is a decline from 45% in Q1 of this year, from 77% in Q3 2020 and from 85% in Q1 2019.

However, as the firm's blog post noted, threat actors continue to innovate and evolve their attack tactics. A core piece of this is the rise of attacks only using data exfiltration (which Coveware referred to as DXF). In this format, the threat actor steals a victim's data and threatens to leak it as a means of extortion but does not encrypt the victim's network like conventional ransomware.

"DXF-only attacks do not cause material business disruption like encryption impact but can cause brand damage and create notice obligations. The probability of a ransom being paid is less than 50%, but the ($) of a ransom demand on DXF only attacks is relatively high. This creates a medium level of expected profit on average," Coveware wrote.

This style of attack has become more frequent in recent months. Though attackers have different means and motivations, threat analysts believe encryption-less attacks have been thought to bring lower risk of law enforcement intervention than attacks that shut down or disrupt an enterprise or critical service.

A notable recent example is the Clop ransomware gang's campaign against customers of Progress Software's MoveIt Transfer product, which began at the end of May and has claimed hundreds of confirmed and likely victims. A threat actor associated with the Clop ransomware gang exploited a zero-day vulnerability in MoveIt Transfer to access the instances of hundreds of customers and steal confidential data.

While the MoveIt Transfer attack did not feature actual ransomware that encrypted victims' data and systems, the Clop ransomware gang has published the data of dozens of organizations that refused to pay the demanded ransom.

Security experts expressed mixed opinions to TechTarget Editorial earlier this month about how lucrative the campaign had been from Clop's perspective. Coveware's blog provided insight, estimating that Clop could earn $75-100 million from the MoveIt Transfer attacks "from just a small handful of victims that succumbed to very high ransom payments."

"While the MOVEit campaign may end up impacting over 1,000 companies directly, and an order of magnitude more indirectly, a very, very small percentage of victims bothered trying to negotiate, let alone contemplated paying," the blog post read. "Those that did pay, paid substantially more than prior CloP campaigns, and several times more than the global Average Ransom Amount of $740,144 (+126% from Q1 2023)." The median ransom payment, for comparison, was $190,424 (up 20% from Q1 2023).

Asked why victims would pay millions of dollars for data stolen from a managed file transfer product, Coveware CEO and co-founder Bill Siegel said it would be "because they are concerned that the public release of the stolen data will cause brand and PR damage."

Coveware said 29% of DXF attack victims paid the ransom in Q2, down from 53% in Q1 2022. Siegel said he felt extortion-only attacks were at a "tipping point," where fewer and fewer victims were willing to pay the ransom, though some companies are still paying.

Coveware's post follows a report from cryptocurrency analytics firm Chainalysis in a report published earlier this month, which found that total ransom payments had surged. The firm found that through the first half of this year, ransomware actors had already extorted at least $449.1 million -- a $175.8 million increase over the same period in 2022.

Alexander Culafi is a writer, journalist and podcaster based in Boston.