Does it matter how many victims of ransomware agree to pay extortion demands?
Security vendors certainly think so, which is why many publish annual or bi-annual numbers that tend to show that ransomware has a shockingly high conversion rate.
Looking at statistics from 2021-22, one web survey suggested that only 20% pay up, while Anomali reckons it’s slightly higher at 40%. Meanwhile, the recent Sophos State of Ransomware Report 2022 says it’s 46%, Kaspersky thinks it’s 56%, with CyberEdge the highest of all at 63%.
You might conclude from this that nobody knows what percentage of victims pay up, but it’s also possible that each of these figures is correct—each vendor is questioning customers that reflect the sectors and geographies they serve, making some variation inevitable.
Or perhaps what matters isn’t the number paying up, but what factors influence some to pay up and others not to.
Central to this is surely that the victim believes that paying will get them all or most of their data back, or in the case of double extortion, that stolen data won’t be publicly released.
The criminals must go along with this, or they have no business model. It’s a strange aspect of ransomware—there has to be some trust involved or nobody would be willing to pay.
In reality, it’s more complicated. Some percentage of ransomware criminals has never bothered to return data to ransom-paying victims, which never mattered as long as most victims continued to believe they would.
But what if the behavior of the ransomware itself made it physically impossible to return files?
A curious example is the Onyx malware, a new version of the Chaos ransomware that has attracted attention for overwriting files larger than 2MB. That’s small enough to trash anything that isn’t a simple word processing file, like most images or larger PDFs.
Nobody’s sure whether this is deliberate design or just an error on the criminals’ part, but it’s destructive enough for vendor Qualys to describe the strain as behaving more like a disk wiper than classic ransomware.
For now, organizations are unlikely to encounter Onyx. The ransom sums demanded are small—only a few hundred dollars—which suggests the gang behind it is aiming at single users who frequent risky file-sharing websites.
But there is evidence that the amount of data victims can expect to get back is gradually declining as well.
The most authoritative survey of this is Sophos, which questioned 5,600 executives for its report and found that organizations that pay up received 61% of their data back during 2021, down from 65% a year earlier. The number getting back all of their data also dropped, from 8% to 4%.
This poor customer service could be cynical malevolence, or it could just be that ransomware attackers just can’t be bothered to invest in a trust system that’s slowly disappearing anyway. What matters is that defenders are realistic about their choices. Once a ransomware attacker gets to your data, you are no longer in full control. Assuming that paying a ransom is a viable plan B is now a strategy likely to lead to disappointment.