Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:10 PM
Connect Directly

Average Ransomware Payments Soared in the First Quarter

Criminals extorting large amounts of money from big enterprises pulled up the overall average significantly compared with the fourth quarter of 2019, Coveware says.

The ransomware economy continues to boom even as the COVID-19 pandemic wreaks havoc on businesses around the world.

New data from Coveware on ransomware attacks in the first quarter of this year showed that compared with the fourth quarter of 2019, median ransomware payments held relatively steady at around $44,000, but average payments soared 33% to $111,605.

The increase in average amounts reflected the significantly bigger ransom payments that large enterprises paid last quarter to get their data back, compared with smaller and medium-sized businesses. This year's first quarter marks the seventh straight quarter that average payments have increased. As recently as the first quarter of 2019, the average ransom payment in Coveware's study was just $12,762, or less than a 10th of the current average.

"Ransomware is an economics-driven industry," says Bill Siegel, CEO and co-founder of Coveware. "Right now, the economics are very favorable to the cyber-criminals."

Coveware's data shows that ransomware attacks increased across the board last quarter as threat actors took advantage of the pandemic and the resulting economic and disruption to go after businesses. The attacks resulted in downtimes of around 15 days on average for victims — down marginally from the previous quarter, but still disturbingly high, Coveware said. Many of the attacks involved data exfiltration as well.

Phishing emails are often perceived to be the most favored mechanism for attackers to drop ransomware. But insecure Remote Desktop Protocol access points — which are available in dark markets for as little as $20 — are even more popular and continued to represent the most common ransomware attack vector last quarter. "Combined with cheap ransomware kits, the costs to carry out attacks on machines with open RDP were too economically lucrative for criminals to resist," Coveware said.

As in previous quarters, small professional services firms such as law firms, managed service providers, and accounting firms were the most heavily targeted and accounted for nearly 20% of all ransomware attacks that Coveware encountered in this year's first quarter. Public sector entities, including schools and local governments — another top ransomware target in previous quarters — attracted a lot of attention in the first quarter of 2020 as well. But in a break from the pattern, almost 50% of the ransomware attacks in this category were directed at schools.  

According to Coveware, ransomware purveyors typically have tended to attack schools in summer to increase their chances of getting victims to pay up before schools reopen. The uncharacteristic volume of attacks against school districts in the first quarter suggests that threat actors were trying to take advantage of the hasty move to distance learning that schools had to implement in response to COVID-19, Coveware said.

Even as some threat actors stopped targeting healthcare entities, others continued going after them, making healthcare the second most heavily targeted sector after professional services firms.

The Payment Payoff
Security experts have strongly advocated against organizations paying a ransom to get back access to their encrypted data and systems. Many believe that ransom payments only encourage more attacks and more threat actors. In fact, the only reason an organization should even consider paying a ransom is if the business would fail or falter if it doesn't, says Siegel. "It is the option of last resort only," Siegel says. "Only if your business is at risk of permanent damage because the data loss will be so severe" should a ransom be considered, he says.

Coveware's data suggests that when organizations do end up acceding to a ransom demand, their chances of a good outcome remain fairly high. Ninety-nine percent of businesses that paid a ransom last quarter got a working decryption tool for unlocking their data. The average data recovery rate with these keys itself though dipped modestly to 96% in the first quarter of 2020 compared with 97% in the prior quarter.

Coveware found that enterprises stood a better chance of recovering their data when dealing with the operators of some of the top ransomware families such as Ryuk, Sodinokibi, and Phobos. The operators of these families — particularly Ryuk and Sodinokibi — have tended to target larger organizations. At the other end of the spectrum, some ransomware variants, such as Mespinosa and DeathHiddenTear, caused data loss when encrypting data and had decryption keys that were buggy as well.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/30/2020 | 11:25:35 AM
Still in Amazement
I'm still in amazement at the amount of companies that don't have a viable backup plan to mitigate ransomware extortion. We have progressed to the point where now there are cost effective solutions for the consumer so as a business it is just irresponsible at this point.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...