Fraud Management & Cybercrime
,
Ransomware
Incident Response Firm Reports 25% of Victims Paid – Typically for a Decryptor

The slice of organizations opting to pay extortion after being hit by ransomware dropped to an all-time low of 25%.
See Also: Live Webinar | Accelerating Secure DevOps: Proven Practices
Incident response firm Coveware says the drop comes from data collected from thousands of cases it helped investigate in the final three months of last year. Roughly a third of organizations paid out during the third quarter of 2024.
Underpinning the drop is a combination of better defenses, improved business resilience – including more robust backup and recovery capabilities – as well as organizations simply deciding to not pay criminals.
What likely also helped: High-profile disruptions of ransomware groups and affiliated cybercrime-as-a-service offerings by law enforcement. Police, last year, unmasked and trolled operators and affiliates, turning their psychological shakedown moves against them. This may have soured the business model for some operators and affiliates, as well as undercut extortionists’ ability to scare victims (see: Police Doxing of Criminals Raising Ransomware-Attack Stakes).
Further proof that these collective measures are taking a bite out of crime include the median ransomware payment falling from the middle to end of last year by 45%, from $200,000 to $110,890, Coveware found.
Not all is good news. Cases involving data exfiltration – whether the only objective, or part of a broader attack – rose from 76% to 87% during the last three months of 2024. This may reflect declining returns from encryption, and increasing desperation by attackers to try and turn a profit.
Comparing the third to fourth quarter of last year, Coveware found that the percentage of exfiltration-only victims who paid a ransom – in return for a promise from attackers to delete stolen data – rose from 28% to 41%. Still, exfiltration-only attacks comprised a smaller proportion of cases than incidents that involved encryption, oftentimes combined with exfiltration.
Security experts regularly advise victims to never pay a ransom for anything intangible, such as a pledge to delete stolen data. There is no evidence in the history of ransomware that criminals have ever honored such a promise, while evidence of them doing precisely the opposite abounds (see: PowerSchool’s Breach Fallacy: Paying Criminals for Promises).
“Payments continue to remain primarily a last-resort option for those who have no alternative to recover critical data,” Coveware said.
Even when victims pay for something tangible – namely, a decryptor – experts continue to caution that they may still get less than they bargained for. “Faulty decryption tools from both new and old ransomware strains and mounting distrust of threat actors’ ability to honor assurances compound to drive victims away from the table, unless they have no other option,” Coveware said.
Anything that blunts the validity of ransomware as a business model, souring criminals’ incentives for embracing it, is to be celebrated. Of course, ransomware groups have a reputation for innovation, driven by their striving to achieve ransom payoffs that might reach eight figures, no matter the societal cost.
“Threat actors are constantly refining their tactics, leveraging AI, SEO manipulation, and advanced social engineering to enhance remote access compromises and phishing attacks, making them more sophisticated and difficult to detect,” Coveware said. Some groups have also refined their ability to bypass some types of multifactor authentication, and increasingly adopted voice phishing and SMS phishing tactics.
The leading attack vectors Coveware saw at the end of last year were phishing and remote access compromise – oftentimes via phishing – followed distantly by exploiting software vulnerabilities. That include the Clop, aka Cl0p, group’s mass hacking of managed file-transfer software built by Cleo Communications.
While the Clop attacks didn’t involve encryption, overall once attackers broke in, encryption featured in 85% of the cases Coveware investigated from October to December 2024, up slightly from 76% in the preceding three months, and largely involved attackers encrypting ESXi hypervisor file systems.
This popular tactic isn’t new: Microsoft warned last summer that from 2021 to 2024, its incident response teams tracked a three-fold increase in ESXi hypervisor-targeting attacks. The technology giant noted that such groups as Akira, Black Basta, Babuk, LockBit and Kuiper either supported or built into their own ransomware the ability to crypto-lock ESXi systems.
Akira is the most-seen strain of ransomware, tied to 11% of incidents Coveware investigated from October to December 2024, and tied with the Fog group at 11%, followed by the likes of RansomHub, Lone Wolf, Medusa and Blacksuit, and then BianLian and Black Basta (see: Ransomware Leak Sites Suggest Attacks Reached Record High).
Unusually for ransomware groups, “Akira has managed to avoid the market fluctuations that impact other groups and whether or not it’s intentional, their general avoidance of the healthcare sector and critical infrastructure has kept them out of the headlines that have thrust other big-game hunters into the media spotlight,” Coveware said.