It's clearly a great time for cybercriminals to be in the ransomware business.
New data from security vendor Coveware shows that in the fourth quarter of 2019, attackers on average collected more than double in ransom money from enterprise victims than they did in the previous quarter. By monetizing a mere 2% or so of their attacks, most ransomware operators were able to generate a sizable profit on their investments last quarter, Coveware estimates.
Coveware analyzed ransomware victim data collected from its incident response engagements as well as from IR firms using its platform, in the last three months of 2019. The data showed that average ransomware payments soared 104% from $41,198 in the third quarter to $84,116 in the fourth quarter. On average, a ransomware attack cost victim organizations some 16.2 days in downtime, compared to just 12.1 days in the third quarter of 2019.
Half of the victims who forked over a ransom paid $41,179 or less, while half paid more. At the high-end, some victims paid up to $780,000 to get the decryption keys for unlocking their data, while at the other end of the spectrum other victims paid as little as $1,500. The wide range in ransom demands and payments reflected the sheer diversity of the threat actors that were active last quarter, Coveware said in a report released Monday.
The doubling of the amount was surprising," says Bill Siegel, CEO and co-founder of Coveware. "I think we expected it to rise, but had not expected the impact of large enterprise attacks to pull the average up as much as it did."
Coveware's report is one of several in recent weeks that have highlighted a disturbing increase in ransomware attacks on enterprise organizations. A lot of it appears to be driven by the willingness of many victims to negotiate with attackers rather than attempting to restore data on their own. Security experts and law enforcement officials have been strongly advocating the latter, advising organizations against paying the attackers.
In many cases, attackers have begun sharply ratcheting up the pressure on victims by exfiltrating data before encrypting it and then threatening to leak the data publicly if it's not paid. According to Coveware, prior to the fourth quarter less than 5% of enterprise cyber-extortion incidents involved data exfiltration and exposure. But such incidents are now steadily increasing. The trend more or less began in summer 2019 with malware strains like BitPaymer derivative DopplePaymer, Maze, and more recently, Sodinokibi.
"Cybercrime is a business, and when a ransomware group can acquire victims cheaply and repeatedly, they will keep doing so," Siegel says. Nearly six in 10 attacks last quarter (57%) were enabled through the use of stolen Remote Desktop Protocol (RDP) credentials, which are available in underground markets for less than $100, he notes. "This will continue until the profit margins go down for these cheap and simple attacks. As of right now, the margins are great for cybercrime, so it marches on."
A Proofpoint survey of more than 600 security professionals around the world showed that slightly more than half of all organizations infected with ransomware in 2019 elected to pay the demanded ransom. Sixty-nine percent got their data back after the initial payment; 22% were not able to regain access to locked-up data and systems; 9% got hit with additional demands, and 2% ended up paying a higher amount than the initial demand.
A Dicey Proposition
Coveware's data, meanwhile, showed that 98% of victims that paid the demanded ransom received a working decryption tool. On average, companies that received a decryptor were able to recover about 97% of their locked data.
Generally, organizations that had to deal with the more sophisticated ransomware operators — such as those behind the highly prolific Ryuk and Sodinikibi strains— stood a much higher chance of getting their data back after paying a ransom. Groups associated with ransomware such as Rapid, Phobos and Mr.Dec —generally targeted at smaller organizations — tended to have higher default rates. Victims of these strains were at much higher risk of not getting their data back even after a ransom payment, Coverware found.
Companies with no backups, or those with compromised backups that don't have the ability to get their business back any other way, are often the ones that end up choosing to make a ransom payment, Siegel says. That's the only reason to even contemplate negotiations. Those who think paying a ransom will help make recovery faster are making a big mistake, he says.
"In our experience that is absolutely false, and in practice it does not happen," Siegel says. "Once companies realize the extent of the remediation work necessary just to cleanse their production network, such that you could safely decrypt it, they realize that on a risk and time adjusted basis, restoring from backups is always a better option."
RiskSense CEO Srinivas Mukkamala, whose company just launched a service to help organizations identify exposure to specific ransomware strains, says paying ransoms can be a dicey proposition. There have been numerous incidents where the key supplied by attackers after making a payment does not work, he says. Also, "paying the ransom obviously funds the industrial complex the bad guys are building, so we’re not fans of that," he notes.
At the same time, the backup often has the same vulnerability that enabled the ransomware attack to occur in the first place, so there's a danger the same vulnerability could be exploited again, he says.
"The best possible path is great up-front hygiene to patch systems such that known ransomware can't execute," Mukkamala says.