Ransomware Profits Dip as Fewer Victims Pay Extortion As Funding From Ransoms Goes Down, Gangs Embrace Re-Extortion, Researchers Warn

Bad news for ransomware groups: Experts find that getting a payday is harder as the world fortifies against the onslaught of criminal malware.

The good news is that more would-be victims are getting robust defenses in place, including well-rehearsed incident response plans, which make executing a successful attack harder.

Also good news, law enforcement agencies mobilize earlier to assist victims, and by doing so, they’re learning better how attackers work and where they might strike next.

In 2019, 79% of victims paid a ransom. In 2022, only 41% of victims paid. That’s despite the number of successful ransomware attacks appearing to remain constant.

Fewer funds appear to be flowing to ransomware-wielding groups and affiliates, who are predominantly based in or around Russia. Based on currently available data, ransomware revenue fell from $765.6 million to $456.8 million from 2021 to 2022.

Unfortunately, ransomware groups are not just going away. As the supply of victims willing to pay a ransom decreases, demands made of the victims by ransomware groups appear to have been increasing, including re-extortion.

That isn’t a reference to double extortion, which means criminals charge one ransom for a decryptor and another for a promise to not leak data or to remove a victim from its data leak site. Re-extortion refers to a ransomware group demanding and receiving a ransom for an agreed result and then demanding the victim pay again  — and again — for what it has already paid for.

Previously, this tactic was used by smaller, more amateur groups that predominantly preyed on smaller victims, plus the likes of LockBit and Hello Kitty.

But last year, more tightly held ransomware-as-a-service groups that primarily pursue midsize and large victims — including BlackByte, Hive, Quantum, Snatch and Vice Society — increasingly began re-extorting victims too.

The FBI says the best way for organizations to help themselves includes staying abreast of their ransomware intelligence reports and getting to know their local FBI field office  or other appropriate law enforcement agency — so they can contact it quickly in the event of an attack.

Another essential is to have solid, well-practiced incident response plans in place.

“Having worked with victims who had incident response plans versus those who did not, the difference is stark,” the FBI’s Bryan A. Vorndran told Congress. “Victims with incident response plans are often able to respond faster and more efficiently and can significantly limit the damage caused by a ransomware incident.”

If you have questions about the risks posed by ransomware and putting together a response plan, call ITPAC today.