By Bill Toulas

Ransomware statistics from the second quarter of the year show that the ransoms paid to extortionists have dropped in value, a trend that continues since the last quarter of 2021.

Ransomware remediation firm Coveware has published a report today with ransomware data from the second quarter of 2022 showing that although the average payment increased, the median value recorded a significant drop.

Payments down

In Q2 2022, the average ransom payment was $228,125 (up by 8% from Q1 ‘22). However, the median ransom payment was $36,360, a steep fall of 51% compared to the previous quarter.Malicious browser extensions targeted almost 7 million people

This continues a downward trend since Q4 2021, which represented a peak in ransomware payments both average ($332,168) and median ($117,116).

Ransom payment trends
Ransom payment trends from 2018 to 2022 (Coveware)

“This trend reflects the shift of RaaS affiliates and developers towards the mid-market where the risk to reward profile of attack is more consistent and less risky than high profile attacks,” comments Coveware in the report.

“We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts.”

The median size of the companies targeted this quarter dropped even further, with the actors looking for smaller yet financially healthy organizations to disrupt, the company says.

Size of organizations targeted by ransomware gangs
Size of organizations targeted by ransomware gangs (Coveware)

In terms of the most active ransomware groups over the past quarter, statistics that Coveware collected show that BlackCat tops the list with 16.9% of the published attacks, followed by LockBit, which accounted for 13.1%.

Most active ransomware families in Q2 2022
Most active ransomware families in Q2 2022 (Coveware)

Another new trend observed by Coveware is the creation of many smaller ransomware-as-a-service (RaaS) operations that draw affiliates from recently defunct syndicates and perform lower-tier, opportunistic attacks.

Data exfiltration

The double extortion method, which threatens with leaking files stolen before being encrypted, continued this quarter as 86% of the reported cases involved this tactic.

Coveware underlines that in many cases, despite receiving the ransom payment, the threat actors continued the extortion or leaked the stolen files anyway.