Ransomware Payment Rates Hit All-Time Low Despite Surge in Attacks

Executive Summary

New intelligence indicates a significant shift in the ransomware economy. According to BleepingComputer, the percentage of ransomware victims who succumbed to payment demands dropped to a record low of 28% in late 2023. This decline represents a massive shift from 2019, when approximately 85% of victims paid. This trend persists even as the total volume of claimed attacks continues to rise, suggesting that while threat actors are increasing their operational tempo, their financial conversion rate is diminishing.

Analysis of Declining Payment Rates

The downward trajectory in ransom payments is driven by a combination of improved organizational resilience, loss of trust in threat actor promises, and heightened regulatory scrutiny.

Improved Recovery Capabilities

Organizations have significantly improved their incident response (IR) and disaster recovery posture over the last five years. The widespread adoption of resilient backup architectures—specifically immutable, off-site, and air-gapped solutions—has fundamentally altered the leverage held by attackers. When a victim organization can restore operations from backups without a decryption key, the operational necessity to pay a ransom is largely eliminated.

Erosion of Threat Actor Credibility

There is a growing realization within the security community that paying a ransom does not guarantee a favorable outcome. Threat intelligence reports, including those from Coveware, demonstrate that threat actors frequently fail to delete exfiltrated data or provide a working decryptor even after payment is received. The rise of ‘double’ and ‘triple’ extortion—where data is encrypted, exfiltrated, and used to harass clients or partners—has made it clear that payment is no longer a reliable method for mitigating risk.

Regulatory and Legal Pressures

Governmental agencies, such as the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), have intensified their focus on ransomware payments. Organizations now face significant legal risks if they facilitate payments to sanctioned entities or threat groups associated with state-sponsored activity. Furthermore, mandatory breach notification laws make it increasingly difficult for organizations to resolve incidents privately, removing the incentive to pay for the sake of ‘discretion.‘

Evolution of Attacker Tactics

In response to declining payment rates, threat actors are pivoting their strategies. The industry has observed a record number of victims posted to data leak sites, indicating that attackers are casting a wider net to find the few remaining organizations willing to pay.

Many groups are now abandoning the encryption phase entirely, focusing solely on data exfiltration and extortion. This shift reduces the technical overhead for the attacker while targeting the victim’s reputational risk and potential regulatory fines under frameworks like GDPR or CCPA. By threatening to leak sensitive intellectual property or personally identifiable information (PII), attackers aim to create a crisis that backups alone cannot solve.

Strategic Recommendations for Defenders

Security leadership should prioritize investments that address both operational disruption and data exposure risks.

Data-Centric Security

Because attackers are prioritizing exfiltration, defenders should focus on data loss prevention (DLP) and encryption at rest for sensitive datasets. Monitoring for large-volume data transfers to unauthorized cloud storage providers or anomalous IP addresses is a priority for early detection.

Resilience and Restoration Drills

Recovery capabilities must be validated through regular restoration drills. A backup is only as good as its last successful recovery test. Organizations should measure their ‘Time to Recover’ (TTR) to ensure it meets business continuity requirements without the need for external decryption tools.

Incident Response Playbooks

IR plans must be updated to include specific workflows for non-payment scenarios. This involves early coordination with legal counsel to navigate disclosure requirements and preparing public relations strategies to manage the fallout of potential data leaks. Engagement with law enforcement, such as the FBI or local cybersecurity authorities, should be a standard component of the response process.