A Q&A with Marc Grens of DigitalMint
Unfortunately, based upon the data and trends, it is feared that ransomware incidents have not yet peaked, and with cyber criminals taking more of a fire hose approach these days, a broader range of companies and industries are getting hit. That’s just one of the many insights Marc Grens, co-founder and president of DigitalMint Cyber, shared with us during a recent conversation about the trends his team has observed in the last twelve months.
What are the most surprising trends you’ve seen over the last year?
The collaborative process is getting more and more refined with more options, just like any growing industry.
- Installment Plans: We will see both threat actors and their targets requesting for the payments to be broken up into installments.
- A la Carte Pricing: This is similar to installment plans in that certain payments can be tied to specific deliverables. For instance, the victim company will pay the threat actor X dollars in Bitcoin for the decryptor and security report, and then Y dollars in Bitcoin for the data deletion.
- Partial Sharing of File Listings: In past years, threat actors would typically, in good faith, share the full file listing with victims. However, recently we’ve seen a trend where they’re only sharing 20-50% of file listings or flat-out refusing to share the listing at all.
- Paying for File Listings: This is not typical for all or even most threat actors, but we are seeing an increase in some requesting a payment in order to share the file listing with the targeted company.
Have you noted any differences in ransomware attacks across business sectors?
From 2022 to 2023, we saw the largest increase of ransomware attacks in the Consumer Discretionary sector with Industrial, Financial and Healthcare sectors staying consistent. In the earlier days of ransomware, there would be a targeted focus on certain companies, and that meant more pain for financial and healthcare organizations, especially with the exfiltration of extremely sensitive data.
One important note is that we are seeing more ransomware affiliates and hackers who are inexperienced on the keyboard, and as such, an increase in unpredictable behavior when communicating with newer threat actors that may or may not be following a specific protocol.
What are some general observations about the state of ransomware attacks?
We are seeing more frequent, smaller payments. Threat actors are more amenable to negotiation. At the same time, we see the industry taking a more methodical approach to negotiating from the start of the incident and taking more time to make the decision about what payment gets made. We believe this is due to the fact that there are higher-quality remediation efforts and more alternative approaches to incident response that are driving this change.
Overall, ransomware incidents are still up—and thus, the volume of incidents has significantly increased. However, actual payments being made are lower year over year. From our perspective, we can’t speak for all the costs that go into incident response or recovery, business interruption, legal disclosures, lawsuits, etc.
What was the average ransomware payment in 2023? The highest?
Taking into consideration our work with all digital forensics incident response reports (DFIRs), the mean payment is $750,000 and the median is $210,000. Obviously, the mean is skewed much higher due to larger payments made from major global companies—which can unfortunately be greater than seven figures.
The highest initial demand that we have seen or heard about was $100,000,000. Some threat actors, like Cl0p for example, were exuberantly throwing out exorbitant numbers in hopes of a large payout. From our vantage point, we are not aware of anyone ever paying anything remotely close to that figure, which is likely well above the largest ransomware payment ever made.
How much does the payment change relative to the initial demand?
Based upon our data set, the victim and stakeholders take into consideration the optimal and maximum amount desired to pay regardless of the initial demand provided by the threat actor. If it’s not financially worth it to pay and the threat actor refuses to come down, the payment will likely not happen as alternative options will be utilized to recover. However, interestingly enough, the Lockbit playbook to affiliates was leaked, including the tactics all criminal recruits are expected to use, such as looking at the victim’s annual revenues, and depending on the industry, making initial demands at certain percentages and not negotiating below certain percentage discounts.
How has the approach to ransomware evolved?
We believe the whole industry coming together and working to find alternative methods beyond simply giving in to threat actors’ demands has been increasingly positive. Some incident response organizations responding to ransomware have been successful with restoration backups or at least realizing that some or all of the data that was stolen is not as critical as once thought. Generally speaking, we are not seeing higher demands being paid on data extortion only.
What is the typical time frame to pay the ransom?
The time frame can greatly vary, depending upon several factors such as whether or not critical systems are offline, the quality of the backups, and if the incident is greatly costing the victim company at the onset. The typical time frame could be about two weeks and could drag on further as extensions granted are common with some threat actors.
Over the past year, this time frame has grown longer as a result of companies conducting much more thorough due diligence, especially for those companies that have a panel of experts including forensics, restoration, breach counsel, law enforcement, etc. Additionally, with more concerns about sanctions that may lead to a violation, it is worth the effort to push the time frame to ensure that a company is making the right decision and whether or not a payment is actually necessary.
What are the top variants used for ransomware attacks?
As of recently, ALPHV/BlackCat, LockBit 3.0 and Akira are the most common threat vectors for the delivery of ransomware. However, we are starting to see an increase in new variants that we have not seen in the past.
How are most ransomware payments made to cyber criminals?
Bitcoin (BTC) is still clearly the favored cryptocurrency. However, every so often, we see threat actors requesting Monero (XMR). Some concerns over threat actors requesting XMR are the underline privacy of its blockchain and its illiquidity in several markets, which makes it harder to obtain larger amounts in a short period of time.
Where do most threat actors reside or maintain their crypto account?
Given the challenges of precise detection on an incident-by-incident basis, it is still believed through blockchain forensics that the majority are in Eastern Europe. Overall, from law enforcement’s perspective, this area is desired due to the challenges of subpoena effectiveness within certain countries in this region.
We’d like to extend our thanks and gratitude to Marc Grens of DigitalMint Cyber for sharing his insights and perspectives on the latest ransomware payment trends. To learn more about Marc or DigitalMint Cyber, visit their website.
Lastly, if you’re looking for a turnkey solution to help your organization adopt an incident response plan—a key element in any framework for improving critical cybersecurity infrastructure—get more information about Breach Plan Connect®️️️️️️️️️️️️ from NetDiligence.