Are Ransomware Victims Paying Less? Insights from the Latest Stay Ahead of Ransomware Live Stream

In this month's reboot of the SANS Stay Ahead of Ransomware live stream, we dove deep into one of the most pressing questions in cyber extortion today: Are ransomware victims paying more or less often, and what factors drive these trends?

Joined by special guest Allan Liska, aka the “Ransomware Sommelier” from Recorded Future, we discussed the complexities surrounding ransom demands, payments, and the shifting tactics of cyber extortion groups.

Are Ransomware Attacks Increasing?

We kicked off the stream by reviewing some interesting data. While statistics show a significant increase in posts on ransomware groups' data leak sites (DLS) in early 2025 compared to previous years, we noted that this doesn't automatically equate to more successful attacks overall.

A key factor is the rise of data-leak-only attacks, where threat actors steal data and threaten to release it without encrypting systems. We discussed how this blurs the lines of traditional ransomware and how the term "cyber extortion" (which we use in our FOR528 course title) better captures the full scope of these incidents. Allan noted that an increase in DLS posts could indicate that fewer victims are paying the initial ransom, forcing actors to follow through on their leak threats more often.

Ransomware Payment Trends

Despite the noise on DLS sites, we explored compelling evidence suggesting a decline in actual ransom payments. We highlighted reports from both Coveware and Chainalysis:

• Coveware Q4 2024 data showed a significant drop (around 45%) in the median ransomware payment compared to previous quarters.
• Chainalysis 2024 analysis revealed a notable year-over-year decrease in the total value of cryptocurrency flowing to known ransomware wallets, despite a spike in 2023.

We discussed what may have attributed to this potential decline:

• Major Law Enforcement Takedowns:  Disruptions like those targeting LockBit and Blackcat (ALPHV) disrupted the ecosystem.
• Increased Sanctions: Sanction actions against groups make paying legally difficult, if not outright illegal, for victims to pay.
• Affiliate Dispersal: Takedowns have scattered affiliates, leading to the rise of new, potentially less organized groups and numerous "lone wolf" attackers, changing the dynamics.
• Growing Awareness: Organizations may realize that paying doesn't guarantee quick recovery or data deletion. We discussed examples like the HSE Ireland and Colonial Pipeline attacks, where decryption was painfully slow even after payment, and leaks from Conti and Black Basta revealed actors often kept data they promised to delete.

We addressed whether the changing landscape means attackers are shifting focus. Allan confirmed increased attacks targeting small-to-medium businesses (SMBs) and mid-market organizations. These groups are often more vulnerable due to fewer security resources and lack of robust backups, potentially making them more likely to pay smaller ransoms.Phishing and Social Engineering Remain Dominant: Allan noted the use of AI to craft more convincing phishing messages in diverse languages, targeting previously less-attacked regions. We also discussed the rise of sophisticated social engineering, like the "ClickFix" technique, which tricks users into executing malicious commands via the Windows Run prompt (Windows+R, Ctrl+V, Enter). Allan also mentioned AI voice-changing technology, enabling more convincing phone-based social engineering scams globally. Initial Infection Vectors

Initial access methods remain critical. While traditional vectors like remote desktop protocol (RDP) and software vulnerabilities persist, we highlighted:

• Leaked Credentials & InfoStealers: We discussed the problem of readily available leaked credentials, fueled by info-stealing malware often spread via phishing.
• Phishing and Social Engineering Remain Dominant: Allan noted the use of AI to craft more convincing phishing messages in diverse languages, targeting previously less-attacked regions. We also discussed the rise of sophisticated social engineering, like the "ClickFix" technique, which tricks users into executing malicious commands via the Windows Run prompt (Windows+R, Ctrl+V, Enter). Allan also mentioned AI voice-changing technology, enabling more convincing phone-based social engineering scams globally.
• We noted that threat actors are moving faster and have significantly reduced dwell times, making rapid detection and response more critical than ever.

Make sure to join us on the first Tuesday of next month at 1:00 PM Eastern and mark your calendars for our upcoming SANS events:

SANS Ransomware Summit 2025 – May 30

SANS DFIR Summit 2025 – July