The ransomware economy continues to boom even as the COVID-19 pandemic wreaks havoc on businesses around the world.
New data from Coveware on ransomware attacks in the first quarter of this year showed that compared with the fourth quarter of 2019, median ransomware payments held relatively steady at around $44,000, but average payments soared 33% to $111,605.
The increase in average amounts reflected the significantly bigger ransom payments that large enterprises paid last quarter to get their data back, compared with smaller and medium-sized businesses. This year's first quarter marks the seventh straight quarter that average payments have increased. As recently as the first quarter of 2019, the average ransom payment in Coveware's study was just $12,762, or less than a 10th of the current average.
"Ransomware is an economics-driven industry," says Bill Siegel, CEO and co-founder of Coveware. "Right now, the economics are very favorable to the cyber-criminals."
Coveware's data shows that ransomware attacks increased across the board last quarter as threat actors took advantage of the pandemic and the resulting economic and disruption to go after businesses. The attacks resulted in downtimes of around 15 days on average for victims — down marginally from the previous quarter, but still disturbingly high, Coveware said. Many of the attacks involved data exfiltration as well.
Phishing emails are often perceived to be the most favored mechanism for attackers to drop ransomware. But insecure Remote Desktop Protocol access points — which are available in dark markets for as little as $20 — are even more popular and continued to represent the most common ransomware attack vector last quarter. "Combined with cheap ransomware kits, the costs to carry out attacks on machines with open RDP were too economically lucrative for criminals to resist," Coveware said.
As in previous quarters, small professional services firms such as law firms, managed service providers, and accounting firms were the most heavily targeted and accounted for nearly 20% of all ransomware attacks that Coveware encountered in this year's first quarter. Public sector entities, including schools and local governments — another top ransomware target in previous quarters — attracted a lot of attention in the first quarter of 2020 as well. But in a break from the pattern, almost 50% of the ransomware attacks in this category were directed at schools.
According to Coveware, ransomware purveyors typically have tended to attack schools in summer to increase their chances of getting victims to pay up before schools reopen. The uncharacteristic volume of attacks against school districts in the first quarter suggests that threat actors were trying to take advantage of the hasty move to distance learning that schools had to implement in response to COVID-19, Coveware said.
Even as some threat actors stopped targeting healthcare entities, others continued going after them, making healthcare the second most heavily targeted sector after professional services firms.
The Payment Payoff
Security experts have strongly advocated against organizations paying a ransom to get back access to their encrypted data and systems. Many believe that ransom payments only encourage more attacks and more threat actors. In fact, the only reason an organization should even consider paying a ransom is if the business would fail or falter if it doesn't, says Siegel. "It is the option of last resort only," Siegel says. "Only if your business is at risk of permanent damage because the data loss will be so severe" should a ransom be considered, he says.
Coveware's data suggests that when organizations do end up acceding to a ransom demand, their chances of a good outcome remain fairly high. Ninety-nine percent of businesses that paid a ransom last quarter got a working decryption tool for unlocking their data. The average data recovery rate with these keys itself though dipped modestly to 96% in the first quarter of 2020 compared with 97% in the prior quarter.
Coveware found that enterprises stood a better chance of recovering their data when dealing with the operators of some of the top ransomware families such as Ryuk, Sodinokibi, and Phobos. The operators of these families — particularly Ryuk and Sodinokibi — have tended to target larger organizations. At the other end of the spectrum, some ransomware variants, such as Mespinosa and DeathHiddenTear, caused data loss when encrypting data and had decryption keys that were buggy as well.
- Ransomware Situation Goes From Bad to Worse
- Small Business Is Big Target for Ransomware
- This Is Not Your Father's Ransomware
- 7 Secure Remote Access Services for Today's Enterprise Needs
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.