A recent report by cybersecurity firm Trend Micro has revealed that just 10% of ransomware victims pay the ransom, but those who do are effectively funding 6-10 new attacks.
Ransomware has become a pervasive threat, with cybercriminals using increasingly sophisticated techniques to target both individuals and organizations. While it is always best to prevent a ransomware attack from happening, sometimes it can be difficult to do so. As a result, many victims are faced with the difficult decision of whether to pay the ransom or not. A recent report from Trend Micro warns that those who do pay are effectively funding future attacks and that paying the ransom only drives up the overall incident cost for victims.
The report by Trend Micro entitled “What Decision-Makers Need to Know About Ransomware Risk” has found that just 10% of ransomware victims pay their extorters. However, those who do pay are usually forced to pay more per compromise, since they represent a smaller pool of targets. Moreover, each victim who pays subsidizes the victimization of six to ten others, as the paid ransom amount covers the cost of operations related to the victims who do not pay.
Trend Micro used data science techniques to analyze data from multiple sources, including detection telemetry, network infrastructure, blockchain transactions, underground forums, chat logs, and more, to come up with its report.
The report revealed that among those who did pay, more than half paid within 20 days to avoid severe disruption to their infrastructure and services, with 75% of the ransom being paid within 40 days, with a slow decline afterward.
Attackers are aware that certain industries and countries that pay ransoms also tend to pay more often, so organizations belonging to those industries and countries are more likely to find themselves at the receiving end of ransomware attacks.
The report also highlighted that ransomware monetization activities have been lowest in January and from July to August over the past two years. These periods, therefore, potentially offer the best opportunity for defenders to rebuild the infrastructure.
Paying the ransom might seem like the easiest way to regain access to important data, but it can also increase the overall cost of a ransomware incident. The restoration process takes time, leading to further business interruption costs. NetDiligence conducted a five-year study of the ratio of requested ransom payment to the total cost of losses in ransomware incidents and found that the ransom request comprises 67% of the total loss, suggesting that paying the ransom only adds to the incident cost. Therefore, businesses are better off directing that money toward incident response costs and incident leadership rather than paying the ransom.
As ransomware attacks continue to pose a significant risk to organizations, it’s important to note that the criminals behind these attacks also face risks of their own. Ransomware is a speculative business, and ransomware groups have to compromise a victim first and hope that the victim pays. Thus, anything that reduces the number of payments makes it harder work for them.
Defenders, law enforcement agencies, cybersecurity experts, and policymakers can exploit these risks to make it more difficult and costly for criminals to carry out successful attacks. For instance, defenders can leverage their knowledge of their organization’s infrastructure to effectively defend systems, detect threats, and mitigate risks. The application of zero-trust principles can also increase the cost of criminal operations and the probability of attack detection and mitigation. Law enforcement agencies can monitor, seize, or block ransomware groups’ infrastructure, affecting key stages of their attacks and reducing the overall number of victims. By increasing the “friction” involved in carrying out ransomware attacks, it’s possible to make it more difficult for criminals to succeed and to minimize the impact of these attacks.
This presents an opportunity for society to reduce the impact of ransomware by increasing support for victims who do not pay and reducing the number of victims that ransomware groups can attack. The report also warns that those who do pay ransoms are paying over the odds and are therefore driving up the natural tendency toward higher payments.
The report recommends that organizations enhance threat prevention, detection, and response efforts to tackle ransomware effectively. However, a global focus on reducing the percentage of victims paying would also help by driving down ransomware’s profitability. Moreover, in-depth industry research like this can help decision-makers to better understand the financial risk of ransomware. This, in turn, could enable IT departments to justify bigger spending, governments to budget for restoration and law enforcement more accurately, and insurers to price policies with greater accuracy.
