Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

Average Ransomware Payments More Than Doubled in Q4 2019

Ransomware attackers collected an average of around $84,000 from victim organizations, up from $41,000 in Q3 of 2018, Coveware says.

It's clearly a great time for cybercriminals to be in the ransomware business.

New data from security vendor Coveware shows that in the fourth quarter of 2019, attackers on average collected more than double in ransom money from enterprise victims than they did in the previous quarter. By monetizing a mere 2% or so of their attacks, most ransomware operators were able to generate a sizable profit on their investments last quarter, Coveware estimates.

Coveware analyzed ransomware victim data collected from its incident response engagements as well as from IR firms using its platform, in the last three months of 2019. The data showed that average ransomware payments soared 104% from $41,198 in the third quarter to $84,116 in the fourth quarter. On average, a ransomware attack cost victim organizations some 16.2 days in downtime, compared to just 12.1 days in the third quarter of 2019.

Half of the victims who forked over a ransom paid $41,179 or less, while half paid more. At the high-end, some victims paid up to $780,000 to get the decryption keys for unlocking their data, while at the other end of the spectrum other victims paid as little as $1,500. The wide range in ransom demands and payments reflected the sheer diversity of the threat actors that were active last quarter, Coveware said in a report released Monday.

The doubling of the amount was surprising," says Bill Siegel, CEO and co-founder of Coveware. "I think we expected it to rise, but had not expected the impact of large enterprise attacks to pull the average up as much as it did."

Coveware's report is one of several in recent weeks that have highlighted a disturbing increase in ransomware attacks on enterprise organizations. A lot of it appears to be driven by the willingness of many victims to negotiate with attackers rather than attempting to restore data on their own. Security experts and law enforcement officials have been strongly advocating the latter, advising organizations against paying the attackers.

In many cases, attackers have begun sharply ratcheting up the pressure on victims by exfiltrating data before encrypting it and then threatening to leak the data publicly if it's not paid. According to Coveware, prior to the fourth quarter less than 5% of enterprise cyber-extortion incidents involved data exfiltration and exposure. But such incidents are now steadily increasing. The trend more or less began in summer 2019 with malware strains like BitPaymer derivative DopplePaymer, Maze, and more recently, Sodinokibi.

"Cybercrime is a business, and when a ransomware group can acquire victims cheaply and repeatedly, they will keep doing so," Siegel says. Nearly six in 10 attacks last quarter (57%) were enabled through the use of stolen Remote Desktop Protocol (RDP) credentials, which are available in underground markets for less than $100, he notes. "This will continue until the profit margins go down for these cheap and simple attacks. As of right now, the margins are great for cybercrime, so it marches on."

A Proofpoint survey of more than 600 security professionals around the world showed that slightly more than half of all organizations infected with ransomware in 2019 elected to pay the demanded ransom. Sixty-nine percent got their data back after the initial payment; 22% were not able to regain access to locked-up data and systems; 9% got hit with additional demands, and 2% ended up paying a higher amount than the initial demand.

A Dicey Proposition

Coveware's data, meanwhile, showed that 98% of victims that paid the demanded ransom received a working decryption tool. On average, companies that received a decryptor were able to recover about 97% of their locked data.

Generally, organizations that had to deal with the more sophisticated ransomware operators such as those behind the highly prolific Ryuk and Sodinikibi strains stood a much higher chance of getting their data back after paying a ransom. Groups associated with ransomware such as Rapid, Phobos and Mr.Dec generally targeted at smaller organizations tended to have higher default rates. Victims of these strains were at much higher risk of not getting their data back even after a ransom payment, Coverware found.

Companies with no backups, or those with compromised backups that don't have the ability to get their business back any other way, are often the ones that end up choosing to make a ransom payment, Siegel says. That's the only reason to even contemplate negotiations. Those who think paying a ransom will help make recovery faster are making a big mistake, he says.

"In our experience that is absolutely false, and in practice it does not happen," Siegel says. "Once companies realize the extent of the remediation work necessary just to cleanse their production network, such that you could safely decrypt it, they realize that on a risk and time adjusted basis, restoring from backups is always a better option."

RiskSense CEO Srinivas Mukkamala, whose company just launched a service to help organizations identify exposure to specific ransomware strains, says paying ransoms can be a dicey proposition. There have been numerous incidents where the key supplied by attackers after making a payment does not work, he says. Also, "paying the ransom obviously funds the industrial complex the bad guys are building, so were not fans of that," he notes.

At the same time, the backup often has the same vulnerability that enabled the ransomware attack to occur in the first place, so there's a danger the same vulnerability could be exploited again, he says.

"The best possible path is great up-front hygiene to patch systems such that known ransomware can't execute," Mukkamala says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/28/2020 | 11:36:08 AM
Needs editing
What do you have against paragraphs?  That posting is almost unreadable.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
Arista’s CloudVision eXchange (CVX) server before 4.21.12M, 4.22.x before 4.22.7M, 4.23.x before 4.23.5M, and 4.24.x before 4.24.2F allows remote attackers to cause a denial of service (crash and restart) in the ControllerOob agent via a malformed control-plane packet.
PUBLISHED: 2020-10-26
AntSword contains a cross-site scripting (XSS) vulnerability in the View Site funtion. When viewing an added site, an XSS payload can be injected in cookies view which can lead to remote code execution.
PUBLISHED: 2020-10-26
This affects all versions of package pathval.
PUBLISHED: 2020-10-26
An issue was discovered in illumos before 2020-10-22, as used in OmniOS before r151030by, r151032ay, and r151034y and SmartOS before 20201022. There is a buffer overflow in parse_user_name in lib/libpam/pam_framework.c.
PUBLISHED: 2020-10-23
Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.