Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

Average Ransomware Payments More Than Doubled in Q4 2019

Ransomware attackers collected an average of around $84,000 from victim organizations, up from $41,000 in Q3 of 2018, Coveware says.

It's clearly a great time for cybercriminals to be in the ransomware business.

New data from security vendor Coveware shows that in the fourth quarter of 2019, attackers on average collected more than double in ransom money from enterprise victims than they did in the previous quarter. By monetizing a mere 2% or so of their attacks, most ransomware operators were able to generate a sizable profit on their investments last quarter, Coveware estimates.

Coveware analyzed ransomware victim data collected from its incident response engagements as well as from IR firms using its platform, in the last three months of 2019. The data showed that average ransomware payments soared 104% from $41,198 in the third quarter to $84,116 in the fourth quarter. On average, a ransomware attack cost victim organizations some 16.2 days in downtime, compared to just 12.1 days in the third quarter of 2019.

Half of the victims who forked over a ransom paid $41,179 or less, while half paid more. At the high-end, some victims paid up to $780,000 to get the decryption keys for unlocking their data, while at the other end of the spectrum other victims paid as little as $1,500. The wide range in ransom demands and payments reflected the sheer diversity of the threat actors that were active last quarter, Coveware said in a report released Monday.

The doubling of the amount was surprising," says Bill Siegel, CEO and co-founder of Coveware. "I think we expected it to rise, but had not expected the impact of large enterprise attacks to pull the average up as much as it did."

Coveware's report is one of several in recent weeks that have highlighted a disturbing increase in ransomware attacks on enterprise organizations. A lot of it appears to be driven by the willingness of many victims to negotiate with attackers rather than attempting to restore data on their own. Security experts and law enforcement officials have been strongly advocating the latter, advising organizations against paying the attackers.

In many cases, attackers have begun sharply ratcheting up the pressure on victims by exfiltrating data before encrypting it and then threatening to leak the data publicly if it's not paid. According to Coveware, prior to the fourth quarter less than 5% of enterprise cyber-extortion incidents involved data exfiltration and exposure. But such incidents are now steadily increasing. The trend more or less began in summer 2019 with malware strains like BitPaymer derivative DopplePaymer, Maze, and more recently, Sodinokibi.

"Cybercrime is a business, and when a ransomware group can acquire victims cheaply and repeatedly, they will keep doing so," Siegel says. Nearly six in 10 attacks last quarter (57%) were enabled through the use of stolen Remote Desktop Protocol (RDP) credentials, which are available in underground markets for less than $100, he notes. "This will continue until the profit margins go down for these cheap and simple attacks. As of right now, the margins are great for cybercrime, so it marches on."

A Proofpoint survey of more than 600 security professionals around the world showed that slightly more than half of all organizations infected with ransomware in 2019 elected to pay the demanded ransom. Sixty-nine percent got their data back after the initial payment; 22% were not able to regain access to locked-up data and systems; 9% got hit with additional demands, and 2% ended up paying a higher amount than the initial demand.

A Dicey Proposition

Coveware's data, meanwhile, showed that 98% of victims that paid the demanded ransom received a working decryption tool. On average, companies that received a decryptor were able to recover about 97% of their locked data.

Generally, organizations that had to deal with the more sophisticated ransomware operators such as those behind the highly prolific Ryuk and Sodinikibi strains stood a much higher chance of getting their data back after paying a ransom. Groups associated with ransomware such as Rapid, Phobos and Mr.Dec generally targeted at smaller organizations tended to have higher default rates. Victims of these strains were at much higher risk of not getting their data back even after a ransom payment, Coverware found.

Companies with no backups, or those with compromised backups that don't have the ability to get their business back any other way, are often the ones that end up choosing to make a ransom payment, Siegel says. That's the only reason to even contemplate negotiations. Those who think paying a ransom will help make recovery faster are making a big mistake, he says.

"In our experience that is absolutely false, and in practice it does not happen," Siegel says. "Once companies realize the extent of the remediation work necessary just to cleanse their production network, such that you could safely decrypt it, they realize that on a risk and time adjusted basis, restoring from backups is always a better option."

RiskSense CEO Srinivas Mukkamala, whose company just launched a service to help organizations identify exposure to specific ransomware strains, says paying ransoms can be a dicey proposition. There have been numerous incidents where the key supplied by attackers after making a payment does not work, he says. Also, "paying the ransom obviously funds the industrial complex the bad guys are building, so were not fans of that," he notes.

At the same time, the backup often has the same vulnerability that enabled the ransomware attack to occur in the first place, so there's a danger the same vulnerability could be exploited again, he says.

"The best possible path is great up-front hygiene to patch systems such that known ransomware can't execute," Mukkamala says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/28/2020 | 11:36:08 AM
Needs editing
What do you have against paragraphs?  That posting is almost unreadable.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...