Ransom payments fall as fewer victims choose to pay hackers

Extortion demand

Ransomware statistics from the second quarter of the year show that the ransoms paid to extortionists have dropped in value, a trend that continues since the last quarter of 2021.

Ransomware remediation firm Coveware has published a report today with ransomware data from the second quarter of 2022 showing that although the average payment increased, the median value recorded a significant drop.

Payments down

In Q2 2022, the average ransom payment was $228,125 (up by 8% from Q1 ‘22). However, the median ransom payment was $36,360, a steep fall of 51% compared to the previous quarter.

This continues a downward trend since Q4 2021, which represented a peak in ransomware payments both average ($332,168) and median ($117,116).

Ransom payment trendsRansom payment trends from 2018 to 2022 (Coveware)

“This trend reflects the shift of RaaS affiliates and developers towards the mid-market where the risk to reward profile of attack is more consistent and less risky than high profile attacks,” comments Coveware in the report.

“We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts.”

The median size of the companies targeted this quarter dropped even further, with the actors looking for smaller yet financially healthy organizations to disrupt, the company says.

Size of organizations targeted by ransomware gangsSize of organizations targeted by ransomware gangs (Coveware)

In terms of the most active ransomware groups over the past quarter, statistics that Coveware collected show that BlackCat tops the list with 16.9% of the published attacks, followed by LockBit, which accounted for 13.1%.

Most active ransomware families in Q2 2022Most active ransomware families in Q2 2022 (Coveware)

Another new trend observed by Coveware is the creation of many smaller ransomware-as-a-service (RaaS) operations that draw affiliates from recently defunct syndicates and perform lower-tier, opportunistic attacks.

Data exfiltration

The double extortion method, which threatens with leaking files stolen before being encrypted, continued this quarter as 86% of the reported cases involved this tactic.

Coveware underlines that in many cases, despite receiving the ransom payment, the threat actors continued the extortion or leaked the stolen files anyway.

In multiple cases, data exfiltration was the main extortion method for many attackers, meaning that many of the incidents didn’t involve file encryption.

This resulted in the average downtime from ransomware attacks dropping to 24 days, an 8% decrease compared to Q1 2022.


  • NoneRain Photo NoneRain – 4 days ago

    The only way to work this out is to not pay at all.
    It’s about time to enterprise have good disaster plans.

  • EndangeredPootisBird Photo EndangeredPootisBird – 4 days ago

    Tell that to the greedy CEO’s who earn 250x more than the employees, and to the IT departments that spend millions on maintaining Endpoint Security and not on Zero Trust and Identity and Access Management.

  • Darkice Photo Darkice – 4 days ago

    The OP is right. If you don’t pay that ransom, and Nobody pays the ransom, it will not be a viable revenue stream. So hackers will stop because it has a zero payout. They will look for other means. Everything else is irrelevant.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.12 4M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 21,024 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 50,823 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 302,084 Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.0 2M+ Downloads


Related posts

New hacking group ‘Metador’ lurking in ISP networks for months

Sarah Henriquez

Trezor warns of massive crypto wallet phishing campaign

Sarah Henriquez

7 Stages of Application Testing: How to Automate for Continuous Security

Sarah Henriquez

Leave a Comment