A global survey that looked into the experience of ransomware victims highlights the lack of trustworthiness of ransomware actors, as in most cases of paying the ransom, the extortion simply continues.
This is not a surprising or new discovery, but when seeing it reflected in actual statistics, one can appreciate the scale of the problem in full.
The survey was conducted by cybersecurity specialist Venafi, and the most important findings that emerge from the respondents are the following:
- 18% of victims who paid the ransom still had their data exposed on the dark web.
- 8% refused to pay the ransom, and the attackers tried to extort their customers.
- 35% of victims paid the ransom but were still unable to retrieve their data.
As for the ransomware actor extortion tactics, these are summarized as follows:
- 83% of all successful ransomware attacks featured double and triple extortion.
- 38% of ransomware attacks threatened to use stolen data to extort customers.
- 35% of ransomware attacks threatened to expose stolen data on the dark web.
- 32% of attacks threatened to directly inform the victim's customers of the data breach incident.
The lack of credibility in ransomware actors' empty promises to their victims stems from several factors.
First, most RaaS operations are short-lived, so they simply look to maximize their profits in the shortest possible period of time. As such, they don't care about long-term reputation.
Secondly, many renegade affiliates don't follow the rules set by the core ransomware operators, and enforcing these rules is rarely considered a priority for these groups.
Thirdly, even if the data isn't leaked right away, the remnants of data breaches may be maintained for a long time in multiple threat actor systems and almost always find their way to the broader cyber-crime community sooner or later.
A vicious cycle
As Venafi underlines in its report, paying the ransom is only motivating crooks to return for more, as it sends the signal that the victim sees this as the easiest way out of trouble, which is nothing but an illusion.
"Organizations are unprepared to defend against ransomware that exfiltrates data, so they pay the ransom, but this only motivates attackers to seek more," - comments Venafi's vice president, Kevin Bocek
"The bad news is that attackers are following through on extortion threats, even after the ransom has been paid! This means CISOs are under much more pressure because a successful attack is much more likely to create a full scale service disruption that affects customers."
The above matches the findings of another report published by Proofpoint yesterday, which presents the results of a survey of thousands of employees and hundreds of IT professionals across seven countries.
70% of the survey participants report having experienced at least one ransomware attack in 2021. 60% of them opted to negotiate with the attackers, and many of them ended up paying ransom more than once.
In summary, the best approach for victims is not to give in to ransomware demands but instead restore systems and data from backups and alert the law enforcement and data protection authorities of the incident.
All else is futile considering that all scenarios eventually lead to the same result, with the only difference being the enrichment of ransomware actors and the feeding of their motivation to continue.
Comments
kleinert - 2 years ago
Is is accurate that "83% of all ransomware victims who paid the requested amount were extorted again, twice, or even three times."??
The original survey stated that 83% of victims were faced with double or triple extortion tactics. That does not mean they were extorted two or three times.
It only means that they had their data stolen, were facing the threat of data-leaking, and maybe even were threatened with DDoS-attacks.
Double-extortion does not mean that you are being extorted twice but that the criminals are using two means of extorting you (locking your data and threatening to leak it at the same time).
I may be completely off the mark here but I think that is a small but important inaccuracy in the article.
...sorry, not trying to be rude, just helpful :)