Advertisement

Average ransomware payment declined by 38% in second quarter of 2021, new Coveware report says

The average payment was $136,576 in the second quarter.
(Photo by Yuriko Nakao/Getty Images)

The tides may be starting to turn on the ransomware epidemic, new industry findings show.

The average ransomware payment declined to $136,576 in the second quarter of 2021, according to numbers published Friday by ransomware response firm Coveware. The company did not share how many companies that data was based on.

The 38% decrease is a dramatic drop from the average demand of $220,298 that the firm reported in April for the first quarter. That number was a 43% increase from the last quarter of 2020.

The decline comes in the shadow of three major ransomware attacks hitting the U.S. supply chain. Since May, U.S. officials have faced three high-profile ransomware attacks against fuel provider Colonial Pipeline, meat supply company JBS, and most recently Florida IT company Kaseya. The latter two attacks have been attributed to REvil, a ransomware gang thought to be based in Russia.

Advertisement

The resulting wake-up call in both the government and private sector could continue to drive a decrease in ransomware demands, the Coveware report suggests.

“While there is no single silver bullet, there is renewed focus and so far we think the efforts will be successful in containing the extortion economy,” per the report. “Any effort that increases the risk for ransomware threat actors, and lowers the profitability is helpful.”

The proliferation of cybercriminal groups selling ransomware tools to affiliates has also made digital extortion easier. Affiliates are capable of alternating hacking tools, making it more difficult for investigators to assign blame and predict future behavior, Coveware notes.

Since the attacks, the Biden administration has increased pressure on Russia to take actions against cybercriminals in its borders. The attention may be one reason REvil went dark earlier in July.

While REvil recently went dark, going offline on July 13 without explanation, it still swept the floor with the competition in the second quarter. Sodinokibi, the ransomware created by REvil, held the biggest share of the market at 16.5%. A version of the Conti ransomware ranked at second place, at 14.4%, while other strains occupied 2.5 to 5.4% of the top ten shares.

Advertisement

Broader U.S. government efforts to combat ransomware are still in the early stages. The White House recently launched an interagency task force to address ransomware, while law enforcement has also taken more aggressive measures to disrupt cybercriminal infrastructure.

While it’s impossible for any single company to have a full picture of the ransomware economy, Coveware isn’t the only firm to notice a shifting tide.

“The Coveware report shows that when the U.S. government signals how seriously it takes ransomware attacks, it has a deterrent effect,” says Michael Phillips, chief claims officer at cyber insurance firm Resilience.

Intense public concern has also benefitted the cyber insurance industry, says Philips. Companies are prioritizing security with a greater emphasis, Philips says, and, because of demand for insurance, insurers are able to implement much higher security standards for clients than before. Coveware points to the shift as another factor in decreasing ransom payment sizes.

Still, there are significant challenges ahead. The ability of small and medium-sized businesses and the public sector to invest in better cybersecurity remains a concern, ransomware experts say.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts