Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/27/2020
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Average Ransomware Payments More Than Doubled in Q4 2019

Ransomware attackers collected an average of around $84,000 from victim organizations, up from $41,000 in Q3 of 2018, Coveware says.

It's clearly a great time for cybercriminals to be in the ransomware business.

New data from security vendor Coveware shows that in the fourth quarter of 2019, attackers on average collected more than double in ransom money from enterprise victims than they did in the previous quarter. By monetizing a mere 2% or so of their attacks, most ransomware operators were able to generate a sizable profit on their investments last quarter, Coveware estimates.

Coveware analyzed ransomware victim data collected from its incident response engagements as well as from IR firms using its platform, in the last three months of 2019. The data showed that average ransomware payments soared 104% from $41,198 in the third quarter to $84,116 in the fourth quarter. On average, a ransomware attack cost victim organizations some 16.2 days in downtime, compared to just 12.1 days in the third quarter of 2019.

Half of the victims who forked over a ransom paid $41,179 or less, while half paid more. At the high-end, some victims paid up to $780,000 to get the decryption keys for unlocking their data, while at the other end of the spectrum other victims paid as little as $1,500. The wide range in ransom demands and payments reflected the sheer diversity of the threat actors that were active last quarter, Coveware said in a report released Monday.

The doubling of the amount was surprising," says Bill Siegel, CEO and co-founder of Coveware. "I think we expected it to rise, but had not expected the impact of large enterprise attacks to pull the average up as much as it did."

Coveware's report is one of several in recent weeks that have highlighted a disturbing increase in ransomware attacks on enterprise organizations. A lot of it appears to be driven by the willingness of many victims to negotiate with attackers rather than attempting to restore data on their own. Security experts and law enforcement officials have been strongly advocating the latter, advising organizations against paying the attackers.

In many cases, attackers have begun sharply ratcheting up the pressure on victims by exfiltrating data before encrypting it and then threatening to leak the data publicly if it's not paid. According to Coveware, prior to the fourth quarter less than 5% of enterprise cyber-extortion incidents involved data exfiltration and exposure. But such incidents are now steadily increasing. The trend more or less began in summer 2019 with malware strains like BitPaymer derivative DopplePaymer, Maze, and more recently, Sodinokibi.

"Cybercrime is a business, and when a ransomware group can acquire victims cheaply and repeatedly, they will keep doing so," Siegel says. Nearly six in 10 attacks last quarter (57%) were enabled through the use of stolen Remote Desktop Protocol (RDP) credentials, which are available in underground markets for less than $100, he notes. "This will continue until the profit margins go down for these cheap and simple attacks. As of right now, the margins are great for cybercrime, so it marches on."

A Proofpoint survey of more than 600 security professionals around the world showed that slightly more than half of all organizations infected with ransomware in 2019 elected to pay the demanded ransom. Sixty-nine percent got their data back after the initial payment; 22% were not able to regain access to locked-up data and systems; 9% got hit with additional demands, and 2% ended up paying a higher amount than the initial demand.

A Dicey Proposition

Coveware's data, meanwhile, showed that 98% of victims that paid the demanded ransom received a working decryption tool. On average, companies that received a decryptor were able to recover about 97% of their locked data.

Generally, organizations that had to deal with the more sophisticated ransomware operators such as those behind the highly prolific Ryuk and Sodinikibi strains stood a much higher chance of getting their data back after paying a ransom. Groups associated with ransomware such as Rapid, Phobos and Mr.Dec generally targeted at smaller organizations tended to have higher default rates. Victims of these strains were at much higher risk of not getting their data back even after a ransom payment, Coverware found.

Companies with no backups, or those with compromised backups that don't have the ability to get their business back any other way, are often the ones that end up choosing to make a ransom payment, Siegel says. That's the only reason to even contemplate negotiations. Those who think paying a ransom will help make recovery faster are making a big mistake, he says.

"In our experience that is absolutely false, and in practice it does not happen," Siegel says. "Once companies realize the extent of the remediation work necessary just to cleanse their production network, such that you could safely decrypt it, they realize that on a risk and time adjusted basis, restoring from backups is always a better option."

RiskSense CEO Srinivas Mukkamala, whose company just launched a service to help organizations identify exposure to specific ransomware strains, says paying ransoms can be a dicey proposition. There have been numerous incidents where the key supplied by attackers after making a payment does not work, he says. Also, "paying the ransom obviously funds the industrial complex the bad guys are building, so were not fans of that," he notes.

At the same time, the backup often has the same vulnerability that enabled the ransomware attack to occur in the first place, so there's a danger the same vulnerability could be exploited again, he says.

"The best possible path is great up-front hygiene to patch systems such that known ransomware can't execute," Mukkamala says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/31/2020 | 6:49:50 PM
Re: Patch
I think a combination of both is appropriate. Patching needs to be constant and its always a race condition between when the vendor releases the patch and when an exploit is written for the vulnerability. Ransomware especially in many cases doesn't exploit a system vulnerability but rather exploits the human element. Thats why I think both are needed to best protect from these types of attacks.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/31/2020 | 6:48:10 PM
Re: Backup
Agreed. Its also very important to test your backups. I've seen so many backup "programs" remain untested and when it finally came time to restore there were difficulties.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/31/2020 | 6:47:06 PM
Re: $80K
These are steep increases. If that trend is to continue ransomware will have to offer payment or installment plans like a mortgage.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/31/2020 | 6:45:45 PM
Re: Enterprises
I would say emphatically, yes, we have not learned our lesson. This is the reason why cybercrime is becoming more profitable year after year. We continually repeat the same mistakes.
mf52
50%
50%
mf52,
User Rank: Apprentice
1/29/2020 | 10:08:33 PM
Re: Needs editing
They fixed it about six hours after I posted my comment. It was originally just one big paragraph.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2020 | 9:32:45 PM
Patch
The best possible path is great up-front hygiene to patch systems such that known ransomware can't execute I agree. Patching is the best approach I would say. Backups are not ultimate solutions.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2020 | 9:29:26 PM
Backup
Companies with no backups, or those with compromised backups that don't have the ability to get their business back any other way, are often the ones that end up choosing to make a ransom payment Without backup not only ransomware but there are other risks are involved. You may loose data because of data corruption.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2020 | 9:26:33 PM
$80K
The data showed that average ransomware payments soared 104% from $41,198 in the third quarter to $84,116 in the fourth quarter. That is a good number, not everybody earns that much per year in IT.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2020 | 9:24:01 PM
Re: Needs editing
I see paragraphs well structured, maybe it is different in different screen sizes.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2020 | 9:21:48 PM
Enterprises
New data from security vendor Coveware shows that in the fourth quarter of 2019, attackers on average collected more than double in ransom money from enterprise victims than they did in the previous quarter. Does this mean we do not learn our lessons. If money collected increases that will create a new industry.
Page 1 / 2   >   >>
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.