Ransomware victims are paying ransoms less often, but 2024 is still on track to be a record year for ransomware payment sizes, according to new research by Chainalysis. The findings indicate that, amid an “evolving sentiment” for companies against paying a ransom, threat groups are prioritizing large organizations or critical infrastructure entities that are more likely to pay bigger ransoms.
Researchers with Chainalysis, which analyze the blockchain to scope out illicit payment activity such as ransomware payments, collected payment data across different “severity strains” of ransomware groups. This ranged from “very high severity strains” that received a maximum payment exceeding $1 million in a given year, down to “low severity strains” that received a maximum payment of less than $1,000 in a given year. They found that the median ransom payments for the most severe ransomware strains have increased from under $200,000 in early 2023 to $1.5 million in mid-June 2024.
Several massive ransom payments reported over the past eight months have supported this spike, from Change Healthcare’s $22 million payment to a record-breaking $75 million payment made by an unnamed Fortune 50 company to the Dark Angels ransomware group. Researchers said ransomware groups appear to be sniffing out organizations like these that are more likely to pay high ransoms “due to their deep pockets and systemic importance.”
“The growing sophistication of the threat actors (e.g., double extortion, etc.) and the size of the targeted entities, be they critical infrastructure, businesses, or government agencies, are what is inevitably driving higher ransom payment sizes,” said Eric Jardine, cybercrimes research lead with Chainalysis.
Evolving threat actor tactics also impact how much ransomware groups get paid. Attackers are rarely relying on simple infiltration and encryption methods now because encryption and exfiltration - paired with double or triple extortion tactics - pays better, said Jardine. Overall, the amount of money that ransomware groups have earned so far this year has increased by 2 percent over last year, from $449.1 million in 2023 to $459.8 million in 2024.
“An Evolving Sentiment”
Still, while ransomware attacks are becoming more frequent and the maximum sizes of ransom payments are increasing, victims are paying ransoms less frequently overall, Chainalysis found in May.
“The ongoing decrease in ransom payments, despite a reported increase in the number of attacks, reflects the growing reluctance of victims to comply with the demands of cybercriminals,” said researchers. “Sanctions and a broader aversion among organizations to fund criminal activities speaks to an evolving sentiment where paying ransoms is increasingly seen as unacceptable or unnecessary.”
Rick Holland, CISO with ReliaQuest, said that anecdotally he’s seen this shifting attitude with other CISOs. This change may be partly influenced by last year’s ransomware attack on MGM Resorts International where the organization did not pay, said Holland. However, another factor is that CISOs are trying to build better containment efforts into their strategies so that they don’t need to get to the point of decision about a ransom payment at all, he said.
“I think MGM changed a lot, it’s one of the most significant ransomware attacks that we’ve had to date,” said Holland. “One, because they refused to pay. Two, [there’s been a] desire post MGM to do more containment. The desire I’m seeing is ‘we want to eliminate this conversation of do we pay the ransom or not… so can we do more containment, can we lean forward, can we do stuff across the network, the endpoint and identity, to contain this faster.'”
A More Fragmented Landscape
Behind a “major escalation” in the frequency, scope and volume of ransomware attacks, the ransomware ecosystem itself appears to be shifting based on Chainalysis’ findings. “Very high severity strains” (versus “high severity strains”) are still underperforming their 2023 year-to-date totals, for instance, potentially indicating that the law enforcement disruptions of larger players, like BlackCat and LockBit, have had some sort of impact.
While it’s difficult to track the long-term impacts of law enforcement operations on the overall ransomware threat landscape, some security researchers have looked at total ransomware payments and their year-over-year difference as a potential benchmark.
Researchers found that in the wake of the BlackCat and LockBit disruptions, “the ecosystem became more fragmented and affiliates migrated to less effective strains or launched their own.”
Overall, Jardine noted that ransomware strains categorized as less severe have been much more active in 2024 so far than they were in 2023. For instance, “high severity strains” (versus “very high severity strains”), which are categorized as ransomware families that received a maximum payment between $100,000 to $1 million in a given year, increased their year-to-date activity by 104.8 percent.
“It is not the case that these strains are behind the biggest payments we have seen this year, but cumulatively their effect on the global ecosystem is very significant,” said Jardine.