Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:10 PM
Connect Directly

Average Ransomware Payments Soared in the First Quarter

Criminals extorting large amounts of money from big enterprises pulled up the overall average significantly compared with the fourth quarter of 2019, Coveware says.

The ransomware economy continues to boom even as the COVID-19 pandemic wreaks havoc on businesses around the world.

New data from Coveware on ransomware attacks in the first quarter of this year showed that compared with the fourth quarter of 2019, median ransomware payments held relatively steady at around $44,000, but average payments soared 33% to $111,605.

The increase in average amounts reflected the significantly bigger ransom payments that large enterprises paid last quarter to get their data back, compared with smaller and medium-sized businesses. This year's first quarter marks the seventh straight quarter that average payments have increased. As recently as the first quarter of 2019, the average ransom payment in Coveware's study was just $12,762, or less than a 10th of the current average.

"Ransomware is an economics-driven industry," says Bill Siegel, CEO and co-founder of Coveware. "Right now, the economics are very favorable to the cyber-criminals."

Coveware's data shows that ransomware attacks increased across the board last quarter as threat actors took advantage of the pandemic and the resulting economic and disruption to go after businesses. The attacks resulted in downtimes of around 15 days on average for victims — down marginally from the previous quarter, but still disturbingly high, Coveware said. Many of the attacks involved data exfiltration as well.

Phishing emails are often perceived to be the most favored mechanism for attackers to drop ransomware. But insecure Remote Desktop Protocol access points — which are available in dark markets for as little as $20 — are even more popular and continued to represent the most common ransomware attack vector last quarter. "Combined with cheap ransomware kits, the costs to carry out attacks on machines with open RDP were too economically lucrative for criminals to resist," Coveware said.

As in previous quarters, small professional services firms such as law firms, managed service providers, and accounting firms were the most heavily targeted and accounted for nearly 20% of all ransomware attacks that Coveware encountered in this year's first quarter. Public sector entities, including schools and local governments — another top ransomware target in previous quarters — attracted a lot of attention in the first quarter of 2020 as well. But in a break from the pattern, almost 50% of the ransomware attacks in this category were directed at schools.  

According to Coveware, ransomware purveyors typically have tended to attack schools in summer to increase their chances of getting victims to pay up before schools reopen. The uncharacteristic volume of attacks against school districts in the first quarter suggests that threat actors were trying to take advantage of the hasty move to distance learning that schools had to implement in response to COVID-19, Coveware said.

Even as some threat actors stopped targeting healthcare entities, others continued going after them, making healthcare the second most heavily targeted sector after professional services firms.

The Payment Payoff
Security experts have strongly advocated against organizations paying a ransom to get back access to their encrypted data and systems. Many believe that ransom payments only encourage more attacks and more threat actors. In fact, the only reason an organization should even consider paying a ransom is if the business would fail or falter if it doesn't, says Siegel. "It is the option of last resort only," Siegel says. "Only if your business is at risk of permanent damage because the data loss will be so severe" should a ransom be considered, he says.

Coveware's data suggests that when organizations do end up acceding to a ransom demand, their chances of a good outcome remain fairly high. Ninety-nine percent of businesses that paid a ransom last quarter got a working decryption tool for unlocking their data. The average data recovery rate with these keys itself though dipped modestly to 96% in the first quarter of 2020 compared with 97% in the prior quarter.

Coveware found that enterprises stood a better chance of recovering their data when dealing with the operators of some of the top ransomware families such as Ryuk, Sodinokibi, and Phobos. The operators of these families — particularly Ryuk and Sodinokibi — have tended to target larger organizations. At the other end of the spectrum, some ransomware variants, such as Mespinosa and DeathHiddenTear, caused data loss when encrypting data and had decryption keys that were buggy as well.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
PUBLISHED: 2020-12-01
ManageOne versions,,,, ,, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...