The rage of ransomware attacks knows no bounds. It has caused great damage both domestically and internationally. In the “Top 10 Information Security Threats” published annually by the Information-technology Promotion Agency (IPA), “damage from ransomware” was the top threat for organizations for the third year in a row.
Meanwhile, in January 2023, two security companies that have been investigating ransomware attacks for some time released interesting data. It is said that the number of victim companies paying the ransom for ransomware attacks is decreasing. I wonder if it’s true.
Decreased from $765.6 million to $456.8 million
On January 19, 2023, US-based Chainalysis, a blockchain analysis company, released a report summarizing the damage caused by ransomware attacks in 2022. The company has been monitoring the cryptocurrency (virtual currency) addresses of ransomware attackers and continuously investigating the ransom payment status.
Ransom payments, which totaled $765.6 million in 2021, fell to $456.8 million in 2022, according to the report. The company speculates that this is not due to a decrease in ransomware attacks, but due to an increase in the number of victim companies that refuse to pay the ransom.
A report published by Coveware in the United States on January 20, 2023 also supports this. The company is a security company that helps companies that have been victims of ransomware attacks. According to the company’s research, the percentage of victim companies paying ransoms is on the decline.
On a quarterly basis, the payment rate decreased from 85% in the first quarter of 2019 to 37% in the fourth quarter of 2022. On an annual basis, the payout rate dropped from 76% in 2019 to 41% in 2022.
Fear of being punished for paying the ransom
One of the reasons for the decline in ransom payments, Coveware said, is that many companies are stepping up their efforts. A series of reports of damage has made people aware of the danger of ransomware attacks, and they are spending money on security measures and incident response.
As a result, even in the event of a ransomware attack, it will not have a serious impact that would lead to payment of the ransom.
Chainalysis cited legal issues as one reason.
On October 1, 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) released a ransomware ransom payment advisory.
According to the advisory, paying a ransom to an entity in a country or region under economic sanctions by the United States could result in a fine for violating OFAC regulations. The ransom could be used to fund activities that threaten US national security and foreign policy.
The rule applies not only to companies hit by ransomware attacks, but also to third-party companies that companies outsource incident response to.