Most ransomware payments go on to fund many further attacks

ransomware avast
(Image credit: Avast)

When a threat actor manages to extort money out of a ransomware victim, they rarely use the cash to take a holiday - but instead use the newly acquired funds to finance more cybercriminal activities, new research has found. 

A report from by Trend Micro claims that while just 10% of ransomware victims end up paying the ransom, the money paid often gets used in future attacks.

The report also found that the victims that agree to pay the ransom usually do it quickly, and are often forced to pay more per incident. 

Funding more attacks

What’s more, although the risk is not homogenous and differs between sectors, company size, countries, etc. - there is a dose of similarity between them. Namely, victims in some countries, and some verticals, usually pay a higher demand than others, and that makes them a more popular target among attackers. 

Usually, businesses are advised against paying the ransom. The payment does not guarantee they’ll get their data back, even partially. At the same time, it motivates the attackers to continue with their ransomware operations. And finally - there is no guarantee that the same organization will not be targeted again - by the same threat actor, or someone completely different.

Trend Micro also added that paying the ransom “often only results in driving up the overall cost of the incident with few other benefits”.

Instead, the companies should build their infrastructure and be prepared for potential attacks. The best time of year to do so is in January, and July-August, as those are the periods when ransomware monetization activities are at their lowest, the researchers said.

“By prioritizing protection left of the kill chain, continuing in-depth analysis of the ransomware ecosystems, and focusing global efforts on reducing the percentage of victims paying,” businesses could make ransomware attacks less profitable for the attackers. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.