top of page

Ransomware 2024: Lower Ransom Demands Mask a More Devious Playbook

Coveware recently published its ransomware report for the first quarter of 2024. Interestingly, the average ransomware payment has fallen to nearly $382K, a 32% decline from the last quarter of 2023. The use of historically prevalent attack vectors like phishing, remote access compromise (RAC), and software vulnerabilities has also been on the decline. Growing cybersecurity awareness, law enforcement tightening the net on RaaS groups, and internal feuds among different RaaS actors could be to blame. So, is the tide finally turning?

A Drop in Ransomware Payments May Give a False Sense of Security

The decrease in ransom demands may initially seem like good news. However, the 25% increase in the median ransom payment compared to the previous quarter suggests a more sinister strategy. Lower demands could be a ploy to increase the likelihood of victims paying. By asking for smaller, more 'affordable' amounts, RaaS actors can secure payments more frequently, potentially leading to a higher overall payout. This tactic could be particularly effective against organizations unable or unwilling to pay exorbitant ransoms.

No Guarantees Against Data Leaks

RaaS providers' reputations are at an all-time low, even among their affiliates. Earlier this year, BlackCat’s affiliates were left scrambling after BlackCat’s abrupt exit scam. It only makes sense for victim organizations not to trust these groups either. RaaS pioneers may have followed a code of conduct to earn the trust of naive victims. But now, groups like Conti increasingly retain their victims' data even after receiving payments. Nothing stops them from demanding more ransom payments or leaking stolen data.

In a recent example, Change Healthcare paid a whopping $22 million ransom to BlackCat, only to have a patient’s data surface on the dark web anyway. Despite the hefty ransom payment, around 6TB of their proprietary data is still in limbo. Groups like Maze, Netwalker, Conti, and Sodinokibi have all been caught leaking data after receiving ransoms, during active negotiations, or, in a few cases, even before informing the victim of the breach.

Internal disagreements, accidents, or sheer greed for continuous extortion—whatever the reason, once attackers obtain the data, there's truly no guarantee it’ll ever be safe again.

Built-in Data Security Saves More Than Just Data

We've always advocated protecting data “at rest.” This is a massive deterrent for ransomware actors and perhaps the only failsafe defense in the new Wild West of ransomware.

Let us explain…

The latest ransomware attacks have two significant tactics:

  • Exfiltration, where attackers steal the data in addition to encrypting it

  • Impact, where attackers destroy or tamper the data to alter business processes to their benefit.

These multi-pronged ransomware attacks not only challenge the availability of data but also compromise its confidentiality and integrity. As such, they need a multi-layered DiD (defense-in-depth) strategy, including:

  • Data backups: Offline data backups, in particular, can deal with the data unavailability and business disruption aspect of ransomware. Being offline also ensures ransomware doesn’t spread to the backup.

  • Data encryption: Encryption of data at rest can render it useless for attackers even if they steal it. They can neither access the sensitive information nor tamper with it.

According to Coveware, 23% of victims chose to pay the ransom not for the decryption key but to avoid risking data exposure. Had those organizations encrypted their data, there would be no need to pay.

Data-Centric Security Pays Off as Attack Vectors Become Increasingly Vague

Reports suggest that attackers are taking more steps to hide how they infiltrate target networks. Even if clear attack vectors remain unidentified, they are likely just a combination of a dozen tactics attackers use to achieve extortion-level impact. Attackers often chain vectors like email phishing, RDP compromise, and security vulnerabilities together to achieve their desired impact. As it gets harder for organizations to know the preferred infiltration methods, it's best to focus protection at the heart of what attackers are ultimately after: the data.

Instead of perimeter-based defenses that focus on where an attacker starts to gain entry, which can be countless starting points, it’s better to focus on their comparatively fewer end targets. We discuss this approach of shifting the security perimeter to the data itself in our latest whitepaper, which is up for grabs for all cybersecurity enthusiasts.

In the paper “Data is the New Perimeter: Shift Up Zero-Trust to Cover Application Data,” we discuss how perimeter-focused security controls like ZTNA, despite their fluidity, can fail to protect the most critical organizational asset—the data itself. We also discuss how you can shift ZT principles to the data layer through Confidencial’s selective encryption to protect against exfiltration and extortion. After all, malicious actors can’t exploit what they can’t see.

Don’t forget to download your copy today!

33 views0 comments


bottom of page