Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:10 PM
Connect Directly

Average Ransomware Payments Soared in the First Quarter

Criminals extorting large amounts of money from big enterprises pulled up the overall average significantly compared with the fourth quarter of 2019, Coveware says.

The ransomware economy continues to boom even as the COVID-19 pandemic wreaks havoc on businesses around the world.

New data from Coveware on ransomware attacks in the first quarter of this year showed that compared with the fourth quarter of 2019, median ransomware payments held relatively steady at around $44,000, but average payments soared 33% to $111,605.

The increase in average amounts reflected the significantly bigger ransom payments that large enterprises paid last quarter to get their data back, compared with smaller and medium-sized businesses. This year's first quarter marks the seventh straight quarter that average payments have increased. As recently as the first quarter of 2019, the average ransom payment in Coveware's study was just $12,762, or less than a 10th of the current average.

"Ransomware is an economics-driven industry," says Bill Siegel, CEO and co-founder of Coveware. "Right now, the economics are very favorable to the cyber-criminals."

Coveware's data shows that ransomware attacks increased across the board last quarter as threat actors took advantage of the pandemic and the resulting economic and disruption to go after businesses. The attacks resulted in downtimes of around 15 days on average for victims — down marginally from the previous quarter, but still disturbingly high, Coveware said. Many of the attacks involved data exfiltration as well.

Phishing emails are often perceived to be the most favored mechanism for attackers to drop ransomware. But insecure Remote Desktop Protocol access points — which are available in dark markets for as little as $20 — are even more popular and continued to represent the most common ransomware attack vector last quarter. "Combined with cheap ransomware kits, the costs to carry out attacks on machines with open RDP were too economically lucrative for criminals to resist," Coveware said.

As in previous quarters, small professional services firms such as law firms, managed service providers, and accounting firms were the most heavily targeted and accounted for nearly 20% of all ransomware attacks that Coveware encountered in this year's first quarter. Public sector entities, including schools and local governments — another top ransomware target in previous quarters — attracted a lot of attention in the first quarter of 2020 as well. But in a break from the pattern, almost 50% of the ransomware attacks in this category were directed at schools.  

According to Coveware, ransomware purveyors typically have tended to attack schools in summer to increase their chances of getting victims to pay up before schools reopen. The uncharacteristic volume of attacks against school districts in the first quarter suggests that threat actors were trying to take advantage of the hasty move to distance learning that schools had to implement in response to COVID-19, Coveware said.

Even as some threat actors stopped targeting healthcare entities, others continued going after them, making healthcare the second most heavily targeted sector after professional services firms.

The Payment Payoff
Security experts have strongly advocated against organizations paying a ransom to get back access to their encrypted data and systems. Many believe that ransom payments only encourage more attacks and more threat actors. In fact, the only reason an organization should even consider paying a ransom is if the business would fail or falter if it doesn't, says Siegel. "It is the option of last resort only," Siegel says. "Only if your business is at risk of permanent damage because the data loss will be so severe" should a ransom be considered, he says.

Coveware's data suggests that when organizations do end up acceding to a ransom demand, their chances of a good outcome remain fairly high. Ninety-nine percent of businesses that paid a ransom last quarter got a working decryption tool for unlocking their data. The average data recovery rate with these keys itself though dipped modestly to 96% in the first quarter of 2020 compared with 97% in the prior quarter.

Coveware found that enterprises stood a better chance of recovering their data when dealing with the operators of some of the top ransomware families such as Ryuk, Sodinokibi, and Phobos. The operators of these families — particularly Ryuk and Sodinokibi — have tended to target larger organizations. At the other end of the spectrum, some ransomware variants, such as Mespinosa and DeathHiddenTear, caused data loss when encrypting data and had decryption keys that were buggy as well.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...