How Ransomware Payments Have Evolved in 2023
Our Founder Marc Grens, sat down for a Q&A with NetDiligence
You can view the post in it’s entirety here.
Introduction
Unfortunately, based upon the data and trends, it is feared that ransomware incidents have not yet peaked, and with cyber criminals taking more of a fire hose approach these days, a broader range of companies and industries are getting hit. That’s just one of the many insights Marc Grens, co-founder and president of DigitalMint Cyber, shared with us during a recent conversation about the trends his team has observed in the last twelve months.
Ransomware attacks were on the rise long before the pandemic. Over the last two years, ransomware attacks have risen by 200% – they are becoming more frequent, more expensive, and more sophisticated. This issue is anticipated to continue throughout 2021 and why businesses must be proactive to manage threats and other actionable steps to mitigate any damage.
What are some general observations about the state of ransomware attacks?
We are seeing more frequent, smaller payments. Threat actors are more amenable to negotiation. At the same time, we see the industry taking a more methodical approach to negotiating from the start of the incident and taking more time to make the decision about what payment gets made. We believe this is due to the fact that there are higher-quality remediation efforts and more alternative approaches to incident response that are driving this change.
Overall, ransomware incidents are still up—and thus, the volume of incidents has significantly increased. However, actual payments being made are lower year over year. From our perspective, we can’t speak for all the costs that go into incident response or recovery, business interruption, legal disclosures, lawsuits, etc.
How much does the payment change relative to the initial demand?
Based upon our data set, the victim and stakeholders take into consideration the optimal and maximum amount desired to pay regardless of the initial demand provided by the threat actor. If it’s not financially worth it to pay and the threat actor refuses to come down, the payment will likely not happen as alternative options will be utilized to recover. However, interestingly enough, the Lockbit playbook to affiliates was leaked, including the tactics all criminal recruits are expected to use, such as looking at the victim’s annual revenues, and depending on the industry, making initial demands at certain percentages and not negotiating below certain percentage discounts.
How has the approach to ransomware evolved?
We believe the whole industry coming together and working to find alternative methods beyond simply giving in to threat actors’ demands has been increasingly positive. Some incident response organizations responding to ransomware have been successful with restoration backups or at least realizing that some or all of the data that was stolen is not as critical as once thought. Generally speaking, we are not seeing higher demands being paid on data extortion only.
What is the typical time frame to pay the ransom?
The time frame can greatly vary, depending upon several factors such as whether or not critical systems are offline, the quality of the backups, and if the incident is greatly costing the victim company at the onset. The typical time frame could be about two weeks and could drag on further as extensions granted are common with some threat actors.
Over the past year, this time frame has grown longer as a result of companies conducting much more thorough due diligence, especially for those companies that have a panel of experts including forensics, restoration, breach counsel, law enforcement, etc. Additionally, with more concerns about sanctions that may lead to a violation, it is worth the effort to push the time frame to ensure that a company is making the right decision and whether or not a payment is actually necessary.