Ransomware Rebuff: Companies Clap Back at Cyber Crooks with Record Low Payouts in 2024

Ransomware’s bad year: only 28% of companies caved to cyber shakedowns in early 2024. Tougher defenses and legal pressure are clipping the wings of digital extortionists, despite their billion-dollar payday. Who’s laughing now, ransomware rogues? #RansomwareDownfall

Hot Take:

Well, well, well, it looks like the ransomware racket is having a bit of a cash flow problem! With only 28% of companies deciding that coughing up Bitcoin to cyber hoodlums is a good idea, we’re seeing a new trend of digital defiance. Maybe these companies finally realized that giving lunch money to the cyber bully doesn’t stop them from coming back for more. Now, if only someone could explain why, despite this newfound courage, we’re still shelling out more cash than ever to these online villains…

Key Points:

  • Companies giving the cold shoulder to ransom demands – only 28% are paying up, which is a drop by a whole percentage point from last year (because that 1% matters).
  • Despite the snub, ransomware gangs are raking in the dough, with a total haul of $1.1 billion last year – talk about a lucrative business model!
  • Ransom payments are a rollercoaster – average down to $381,980 but median up to $250,000. Apparently, criminals are now into fair pricing strategies.
  • In the cybercrime world, the FBI is playing whack-a-mole, and it’s causing chaos and career changes among ransomware affiliates.
  • Akira, not just a classic anime film, but now the top dog in ransomware, bagging $42 million from at least 250 organizations. They must be doing something right.
Title: Improper limitation of a pathname to a restricted directory (“path traversal”)
Cve id: CVE-2024-1708
Cve state: PUBLISHED
Cve assigner short name: cisa-cg
Cve date updated: 02/21/2024
Cve description: ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

Cve id: CVE-2023-20269
Cve state: PUBLISHED
Cve assigner short name: cisco
Cve date updated: 01/25/2024
Cve description: A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier). Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability.

Title: Unauthenticated sensitive information disclosure
Cve id: CVE-2023-4966
Cve state: PUBLISHED
Cve assigner short name: Citrix
Cve date updated: 10/10/2023
Cve description: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA  virtual server. 

Need to know more?

The Drop in High Stakes

Ransomware actors are feeling the squeeze as companies are getting stingier with their Bitcoin wallets. The Coveware report is like a weather forecast for cybercrime – and it's predicting a chilly season for ransomware demands. Companies are battening down the hatches and refusing to play ball, which is making for some grumpy hackers.

Money, Money, Money – Must be Funny

Even though fewer companies are paying up, those who do are still dishing out eye-watering sums. The ransomware economy might be bizarre, but it's booming. Chainalysis probably had to upgrade their calculators to keep track of that $1.1 billion figure.

The Price is... Complicated

It's not all about the Benjamins (or the Satoshis, in this case). The average ransom payment has taken a dive, but the median is on the rise. This suggests that while the whales are getting better at saying "no", the smaller fish are still getting caught in the net.

The FBI's Game of Tag

The FBI has been playing tag with ransomware groups, and it seems they're "it". LockBit, once a big player in the ransomware league, is now more like a benchwarmer thanks to the feds. This has led to a ripple effect, causing trust issues in the cybercrime community and pushing some to consider a career change. Maybe LinkedIn should start a "Former RaaS Affiliate" job category?

Meet Akira: Not Just a Cool Movie

Akira has taken the ransomware world by storm, not by releasing a remastered sci-fi classic, but by being the most prolific digital menace so far this year. They've managed to amass $42 million, proving that crime does pay – at least until the FBI decides you're next on their game of cyber tag.

With ransomware actors facing a tougher crowd, and law enforcement stepping up their game, it's an interesting time in the world of cybersecurity. Who knows, maybe this drop in ransom payments will continue, or perhaps the cybercriminals will come up with a new strategy to part fools from their money. Stay tuned, and remember: always back up your files, just in case Akira comes knocking on your network's door.

Tags: attack frequency, initial infiltration methods, law enforcement impact, legal implications, payment refusal, ransomware trends, ransomware-as-a-service