Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Ransomware

Ransomware Victims Who Pay a Ransom Drops to Record Low

Experts See Groups Shoot Themselves in the Foot by Yet Again Swindling Affiliates
Ransomware Victims Who Pay a Ransom Drops to Record Low
Fewer victims are paying extortion demanded by ransomware groups, says Coveware. (Image: Shutterstock)

Here's ransomware news to celebrate: The number of victims who opt to pay a ransom has dropped to a record low. Also, operators of two major groups hit by law enforcement disruptions have each chosen to swindle their affiliates, sowing disaffection and driving away burned business partners.

See Also: The Future is Now: Embracing AI

Ransomware incident response firm Coveware, based on thousands of cases it helped investigate from January through March, said in a Wednesday report that just 28% of victims paid a ransom in that timeframe, down from 29% in the last three months of 2023, and compared to an average of 37% of victims paying across all of last year.

That downward trend comes thanks to "enterprises large and small" being "increasingly able to withstand an encryption attack, and restore their operations without the need for a threat actor decryption key," Coveware said.

Fewer victims also paid solely for a promise from attackers to delete their stolen data, dropping to 23% in the first quarter of this year, down from 26% the prior quarter, it said.

That's further good news. Experts have long urged victims to never pay for these types of intangible promises - compared to getting a decryptor - because there's no proof criminals have ever kept their word.

Actually, evidence abounds of groups doing precisely the opposite, including "hostage trading" of data between groups, with Coveware citing as just one example Hive victims who paid for data deletion seeing their names later appear on leak site of Hunters International, which is a reboot or rebrand of Hive.

Another example of such bad behavior comes via Britain's National Crime Agency, which spearheaded LockBit's February disruption via Operation Cronos, including infiltrating its infrastructure. The NCA said in the aftermath: "Some of the data on LockBit's systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised."

Despite such moves, ransomware groups last year collectively received record-breaking profits of at least $1 billion, said blockchain analytics firm Chainalysis.

Evidence does suggest that not only are fewer victims paying, but many agree to pay less.

When victims did choose to pay a ransom in the first quarter of this year, Coveware said the average payment was $381,980, down 32% from the prior quarter - although the median ransom payment hit $250,000, which was an increase of 25%. The firm said these trends reflected fewer victims choosing to pay, as well as more attackers opting not for sky-high initial ransom prices, but rather lower requests aimed at reaching an agreement with victims.

'Perplexing' Business Moves

Despite their record profits, all has not been smooth sailing for ransomware practitioners. Before the NCA-led disruption of LockBit, which included obtaining intelligence on hundreds of affiliates, the FBI and other law enforcement agencies last December disrupted BlackCat, aka Alphv. While neither group appears to have been permanently disabled, security experts lauded the disruptions for undercutting each group's brand, sowing trust, amplifying fatigue and undercutting morale.

Both groups reacted to the unexpected hit on their business operations - including law enforcement trolling their leadership - not by seeking to bolster trust with affiliates, but rather by "swindling" them, as well as letting private disputes become public, in what Coveware described as being a "perplexing" turn of events.

This isn't the first time that operators have shortchanged affiliates to keep more profit for themselves (see: REvil Ransomware Group's Latest Victim: Its Own Affiliates).

One challenge for affiliates is that they keep getting burned.

Threat intelligence firm Analyst1 reported earlier this year that LockBit's leader, "LockBitSupp" - got banned in January from the two most prominent Russian-language cybercrime forums, XSS and Exploit, after being accused of executing an attack without giving an initial access broker his share of the resulting profits.

Beyond just banning LockBitSupp, the forums also labeled him as being a "ripper," which "signifies a lack of trust, making it strongly discouraged for anyone to engage in collaboration with them," said Analyst1 researchers Anastasia Sentsova and Jon DiMaggio.

BlackCat has also burned its business partners. English-speaking affiliates of the group said their February attack on Change Healthcare, part of Optum-owned UnitedHealth Group, led to the victim paying a $22 million ransom. Affiliates will typically receive 70% to 80% of any ransom paid. Instead, they said BlackCat's leadership kept it all by pretending they'd been permanently disrupted by law enforcement, as part of an exit scam.

BlackCat's leadership seemed willing to sacrifice ties with the English-speaking affiliates behind the Change Healthcare hack, believing that swindling Westerners wouldn't undercut in any way their reputation with fellow Eastern Europeans, said Yelisey Bohuslavskiy, chief research officer at RedSense.

Shortchanging business partners plus the recent ransomware-as-a-service disruptions have triggered "a mass diaspora of ransomware affiliates," perhaps numbering in the hundreds, who are now having to consider their next move, Coveware said.

"Affiliates are the lifeblood of RaaS operations, and in the wake of these disruptions, we've already observed smaller RaaS groups attempting to recruit disaffected or displaced affiliates," said Drew Schmitt, who leads cybersecurity firm GuidePoint Security's research and intelligence team, in a new report.

More affiliates appear to be opting to go it alone, following in the footsteps of others who have adopted and modified free ransomware builders that have leaked from the likes of Conti, LockBit and Babuk (see: Free Ransomware: LockBit Knockoffs and Imposters Proliferate).

Others are adopting Phobos, which nominally operates as a ransomware-as-a-service operation, but lets anyone access its software via cybercrime forums of a payment of $150 or less. Unlike more sophisticated operations, "Phobos does not maintain a central data leak site or chat infrastructure, and victim communications most frequently take place over email, with the operating affiliates using 'throwaway' accounts with secure email services such as Proton Mail and Onion Mail," Guidepoint said. "Some ransom notes left by affiliates reference the group name or sub-brand, but many do not and remain unnamed."

While some affiliates may quit the life or join forces with groups that haven't yet burned them, "we expect a growing number of ransomware affiliates to leverage these free resources and develop their own encryption operations," Coveware said. "We have already seen an increase in Babuk forks in recent attacks, and several former RaaS affiliates using the ubiquitous, and almost free, Dharma/Phobos services."

Never short on drama, the ransomware ecosystem grinds on.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.