According to a recent study, ransomware payments have dropped by over a third as more victim organisations refuse to pay up. In this short article we dig deeper into the story. We ask: what’s driving the trend? And explore how organisations, like yours, can be ready to so “No” to extortion.
The study, published earlier this month by US-based blockchain analysis firm Chainalysis, highlights a significant drop in total reported ransomware payments from $1.25 billion(USD) in 2023, down to $813 million(USD) in 2024 – that’s a drop of 35%. The statistic is uncommon in the sense that overwhelmingly, studies into cybercrime tend to tell a negative story, where attacks are on the rise and the criminals are on the front foot.
Is ransomware as an attack strategy in decline?
Sure, ransom payments are down, which means less money flowing into the bank accounts of criminal gangs. This, in turn, will diminish the incentive for the attackers, and ultimately could lead to a reduction in the prevalence of ransomware attacks – but, there is no sign of that yet. It’s worth noting that while ransom payments fell last year, the number of ransom demands actually increased. This tells us that criminal gangs are continuing to succeed in breaching defences and locking down networks.
If perimeter cybersecurity measures aren’t stopping more ransomware, then what’s changed? Why are more ‘victim’ organisations choosing to take on the complex and often risky task of recovering their systems over paying to have them unlocked?
Choosing Recovery Over Ransom
In an ideal world, no organisation would pay a ransom demand. While the number that do pay is falling, Coveware’s quarterly ransomware report shows that in 25% of cases in Q4 2024, demands were paid with an average payment cost of over $550,000(USD).
So, what are the considerations to weigh up when deciding whether to pay up? And what’s changed that is shifting the needle.
The moral question:
The moral question is, should your organisation fund criminal activity? Of course this sounds like a no-brainer, but rather than being a binary choice, it’s actually more nuanced. Really, it’s about balancing the ethical position of your organisation against the negative (and potentially devastating) impacts that not paying the ransom will have on your employees, your customers, and your supply chain.
The legal question:
The question here is, is it illegal to pay the ransom? While there is no universal legal position on payment of extortion demands associated with ransomware, many governments around the world have put measures in place to prohibited, limit, and discourage payment. So, in some circumstances, payment the ransom is actually illegal.
As an example, The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has prohibited payments to certain sanctioned organisations, including some known ransomware groups.
When it comes to similar legal sanctions, the direction of travel is clear. The European Union and 48 individual countries have signed up to the International Counter Ransomware Initiative, which states that government authorities should not pay ransomware extortion demands.
Meanwhile, the UK government has declared that a ban on ransom payments by public sector entities including schools, the National Health Service (NHS), and local councils is under consideration.
There is no doubt that these measures at a governmental level are contributing to the decrease in ransom demand payments. Essentially, in some scenarios they remove the option of payment entirely.
The confidence question:
Fundamentally, choosing to pay an extortion demand, or not, is about calculating risk. The question is, how confident are you that your business can recover its IT systems quickly, and completely without the risk of re-infection?
Over the last 3 years many organisations have shifted from a cybersecurity strategy to a more holistic cyber resiliency strategy – putting processes and technology in place to ensure that if the worst happens, they are ready to mount a rapid and robust recovery.
We believe this has been the biggest contributing factor to the decrease in ransom demand payments. When an organisation is confident in it’s own ability to recover, the criminals’ leverage is removed.
Achieving Recovery Confidence
Saying ‘No’ to a ransomware extortion demand is a bold move, and if you lack certainty in your ability to recover, it could be a disastrous one. That’s where Recovery Assurance technology comes into play.
The Recovery Assurance Buyer’s Guide is a useful resource to help you understand the different technologies in this emerging marketplace and guide you towards the right ones to make your organisation ‘recovery confident.’
Predatar, for example, is designed to prove that your backups and snapshots are recoverable and infection-free – before a crisis hits. Thanks to AI and automation, you can validate your recovery plans daily, and continually check that your storage hasn’t been compromised.
In conclusion
Early signs indicate that the ransomware tide may be turning, but organisations can’t be complacent. The risks are still very real, particularly for organisations that don’t have robust cyber resiliency practices in place. By shifting from a cyber security approach to a more holistic cyber resiliency one, and investing in the right technologies, organisations can build recovery confidence and say “No” to extortion demands.
