Trend Micro, a cybersecurity company, has found that only 10% of victims of ransomware pay the ransom demanded by the attackers. The company warned that those who do pay, however, fund between six and ten new attacks. Trend Micro used data science techniques to gather information from a range of sources, including detection telemetry, network infrastructure, blockchain transactions, and underground forums. The report also showed that those who do pay usually do so quickly, often within 20 days, to avoid disruption to their infrastructure and services. Nevertheless, paying the ransom does not guarantee that the company will regain control of its data, nor will it undo the reputational damage or loss of business caused by the attack. Attackers know that certain industries and countries are more likely to pay the ransom, and therefore, they often target these sectors.
Trend Micro recommended that organizations should enhance their threat prevention, detection, and response capabilities to tackle ransomware effectively. Furthermore, the report revealed that ransomware monetization activities have been lowest in January and from July to August over the past two years, and these periods may be the best times for organizations to rebuild their infrastructure or take vacations. The company emphasized that in-depth industry research can help decision-makers to better understand the financial risk of ransomware. This knowledge can enable IT departments to justify bigger spending, governments to budget for restoration and law enforcement more accurately, and insurers to price policies more accurately.
According to the report, speed is critical when dealing with ransomware payments. The majority of victim organizations that choose to pay do so quickly, often within 20 days. The report cites the case study of Deadbolt ransomware, which shows that the ratio of payments to infections was low, at 8%, between June 27 and July 20, 2022. This ratio is lower than that of Conti and LockBit, which stands at 16%. The report attributes this to Deadbolt's volume-oriented ransomware business, which targets a more extensive audience. Corporate customers usually restore their systems quickly because their revenue depends on them, and for them, time is a core driver. However, time does not always correlate with all categories of loss, and credit monitoring is one example of this.
The report also indicates that more than half of those who paid the ransom did so within 20 days, and 75% of the ransom was paid within 40 days, with a slow decline afterward. The report provides a Kaplan-Meier curve for the percentage of DeadBolt victims who paid against the number of days until payment was made. The “survival analysis” considers victims who do not pay as survivors, showing that 92% of victims survived more than 100 days without opting to pay, while roughly 6% paid within 20 days.
Ransomware attacks are almost always financially driven, meaning that profit is a must for the attackers. Therefore, understanding a ransomware group's operation costs is essential to gain insights into the attacker's objectives. The report recommends that decision-makers should focus on reducing the percentage of victims who pay to drive down the profitability of ransomware.
In conclusion, the report emphasizes that paying the ransom only drives up the overall incident cost for victims. The best way to tackle ransomware is by enhancing threat prevention, detection, and response efforts. Organizations should focus on rebuilding their infrastructure or taking vacations during periods of low ransomware monetization activities. The report also indicates that in-depth industry research can help decision-makers to understand the financial risk of ransomware, enabling IT departments to justify bigger spending, governments to budget for restoration more accurately, and insurers to price policies more accurately.