Just say no: Only 29% of ransomware victims paid the ransom in the fourth quarter of last year

In the final quarter of 2023, the landscape of ransomware attacks witnessed significant shifts, marked by a decrease in the average ransom payment by 33%, dropping to $568,705 compared to Q3 2023, according to a report from Coveware. However, the median ransom payment remained stable at $200,000 during the same period.

One notable trend was the decline in the proportion of ransomware victims choosing to pay ransoms, hitting a record low of 29% in Q4 2023. This shift is attributed to various factors, primarily the growing resilience of enterprise environments. Companies affected by ransomware incidents are increasingly demonstrating the ability to recover partially or fully without resorting to ransom payments.

Additionally, a data-driven reluctance to pay for intangible promises from cybercriminals contributed to the decrease in ransom payments. This includes promises not to publish or misuse stolen data and assurances of immunity from future attacks or harassment. The industry is becoming more informed about what can reasonably be achieved with a ransom payment, resulting in better guidance for victims and a reduction in payments for intangible assurances.

The report highlights a decrease in the volume of data-exfiltration-only payments, emphasizing examples of how data assurances can fail even when dealing with well-known ransomware groups.

The median company size of victimized organizations fell to 231 employees, a 32% decrease from Q3 2023. Despite several high-profile incidents drawing media attention, ransomware continues to predominantly impact small to mid-market companies.

The big four industries affected by ransomware—professional services, health care, consumer services, and the public sector—remained consistent quarter over quarter. The report emphasizes that ransomware is industry-agnostic, and a single sector's prevalence in the data does not necessarily indicate targeted attacks. Instead, it suggests that certain industries may be more susceptible due to general characteristics, such as being behind on patching and having limited cybersecurity resources.

Company size and reported revenue figures emerge as more telling predictors of the threat actor group targeting an organization. While some threat groups may adopt a opportunistic approach, the data suggests that others specifically target enterprises above a certain size and financial threshold.