Increased pressure and strategies implemented by law enforcement agencies and cybersecurity firms resulted in fewer businesses paying ransoms to cybercriminals during the second quarter of 2022, according to a new report published by the ransomware remediation company Coveware.

While the average ransom payment in the second quarter of 2022 was $228,125, an increase of 8% from the first quarter, the median ransom payment fell by 51% to $36,360.

This follows a declining trend that began in Q4 2021, when average and median ransomware payments peaked at $332,168 and $117,116, respectively.

According to Coveware, this trend represents the migration of RaaS affiliates and developers towards the mid-market, which is characterised by a risk-to-reward profile that is more consistent and poses less risk to the attackers than high profile attacks.

The firm says it has also been a positive trend among major companies turning down offers of discussions when ransomware groups ask for absurdly high ransom payments.

With 16.9% of the publicised attacks, BlackCat was the most active ransomware organisation in the second quarter, followed by LockBit (13.1%), Hive (6.3%), Quantum (5.6%), and Conti V2 (5.6%).

Coveware says RaaS branding is now detrimental to affiliates looking to start an attack without having a lot of technical know-how due to increasing scrutiny and action from law enforcement agencies. As a consequence, RaaS brands are now keeping a lower profile, and the vetting process for affiliates and victims is becoming more stringent.

DarkSide and Conti were taken down as a result of law enforcement action, according to Coveware. DarkSide was behind the attack on the Colonial Pipeline Company, where law enforcement was able to recover more than $2 million of the ransom paid by following the cryptocurrency trail.

According to Coveware, collective downtime dropped by 8% from first to second quarter of 2022, reaching an average of 24 days. The decline is the result of an increase in the number of ransomware attackers who are choosing to focus only on the data leaking model rather than on locking the victim’s machine. They just steal data and demand a payment in exchange.

Data exfiltration continues to be primarily driven by double extortion, which accounted for 86% of reported incidents in the second quarter.

Coveware emphasises that in many instances, threat actors maintained their extortion or disclosed the stolen information after collecting the ransom money.

Earlier, only a small number of ransomware variants were able to encrypt servers running operating systems other than Windows. But today, according to the report, nearly all RaaS variants have stable Windows, Linux, and ESXI versions and can target any server, independent of operating system.

Much like government agencies, Coveware advises victims not to pay a ransom in exchange for promises about what attackers could do or for the interest of public relations.

US Energy Secretary Jennifer Granholm said in May last year: “We need to send this strong message that paying of ransomware only exacerbates and accelerates this problem.”

“You are encouraging the bad actors when that happens.”