Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/29/2020
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Average Ransomware Payments Soared in the First Quarter

Criminals extorting large amounts of money from big enterprises pulled up the overall average significantly compared with the fourth quarter of 2019, Coveware says.

The ransomware economy continues to boom even as the COVID-19 pandemic wreaks havoc on businesses around the world.

New data from Coveware on ransomware attacks in the first quarter of this year showed that compared with the fourth quarter of 2019, median ransomware payments held relatively steady at around $44,000, but average payments soared 33% to $111,605.

The increase in average amounts reflected the significantly bigger ransom payments that large enterprises paid last quarter to get their data back, compared with smaller and medium-sized businesses. This year's first quarter marks the seventh straight quarter that average payments have increased. As recently as the first quarter of 2019, the average ransom payment in Coveware's study was just $12,762, or less than a 10th of the current average.

"Ransomware is an economics-driven industry," says Bill Siegel, CEO and co-founder of Coveware. "Right now, the economics are very favorable to the cyber-criminals."

Coveware's data shows that ransomware attacks increased across the board last quarter as threat actors took advantage of the pandemic and the resulting economic and disruption to go after businesses. The attacks resulted in downtimes of around 15 days on average for victims — down marginally from the previous quarter, but still disturbingly high, Coveware said. Many of the attacks involved data exfiltration as well.

Phishing emails are often perceived to be the most favored mechanism for attackers to drop ransomware. But insecure Remote Desktop Protocol access points — which are available in dark markets for as little as $20 — are even more popular and continued to represent the most common ransomware attack vector last quarter. "Combined with cheap ransomware kits, the costs to carry out attacks on machines with open RDP were too economically lucrative for criminals to resist," Coveware said.

As in previous quarters, small professional services firms such as law firms, managed service providers, and accounting firms were the most heavily targeted and accounted for nearly 20% of all ransomware attacks that Coveware encountered in this year's first quarter. Public sector entities, including schools and local governments — another top ransomware target in previous quarters — attracted a lot of attention in the first quarter of 2020 as well. But in a break from the pattern, almost 50% of the ransomware attacks in this category were directed at schools.  

According to Coveware, ransomware purveyors typically have tended to attack schools in summer to increase their chances of getting victims to pay up before schools reopen. The uncharacteristic volume of attacks against school districts in the first quarter suggests that threat actors were trying to take advantage of the hasty move to distance learning that schools had to implement in response to COVID-19, Coveware said.

Even as some threat actors stopped targeting healthcare entities, others continued going after them, making healthcare the second most heavily targeted sector after professional services firms.

The Payment Payoff
Security experts have strongly advocated against organizations paying a ransom to get back access to their encrypted data and systems. Many believe that ransom payments only encourage more attacks and more threat actors. In fact, the only reason an organization should even consider paying a ransom is if the business would fail or falter if it doesn't, says Siegel. "It is the option of last resort only," Siegel says. "Only if your business is at risk of permanent damage because the data loss will be so severe" should a ransom be considered, he says.

Coveware's data suggests that when organizations do end up acceding to a ransom demand, their chances of a good outcome remain fairly high. Ninety-nine percent of businesses that paid a ransom last quarter got a working decryption tool for unlocking their data. The average data recovery rate with these keys itself though dipped modestly to 96% in the first quarter of 2020 compared with 97% in the prior quarter.

Coveware found that enterprises stood a better chance of recovering their data when dealing with the operators of some of the top ransomware families such as Ryuk, Sodinokibi, and Phobos. The operators of these families — particularly Ryuk and Sodinokibi — have tended to target larger organizations. At the other end of the spectrum, some ransomware variants, such as Mespinosa and DeathHiddenTear, caused data loss when encrypting data and had decryption keys that were buggy as well.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...