Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Average Ransomware Payment Drops to $154,180

February 8, 2021

Bank Info Security reported on February 1 that incident response firm Coveware announced that from Q3 to Q4 last year, the average ransom payment declined by 34% to $154,108. Fewer victims have been paying a ransom. The findings are based on thousands of cases that Coveware helped investigate last year.

That’s a big change from a long period of increases in the number of ransoms and the amount being paid, caused by attackers stealing data and threatening to leak it online if the ransom wasn’t paid.

The most common type of ransomware tied to successful attacks that Coveware investigated in Q4 2020 was Sodinokibi, aka REvil, which accounted for nearly one-fifth of all cases. Other top strains were Egregor – the apparent successor to Maze – followed by Ryuk, NetWalker, Maze, Conti and DopplePaymer.

Since then, Maze has announced that it has retired, while the NetWalker gang was disrupted by law enforcement.

As more and more victims were able to restore their data from backups, there was an explosion in the number of ransomware gangs stealing data and leaking portions of it to compel victims to pay the ransom.

In 2020, “the percentage of ransomware attacks that involved the threat to release stolen data increased from 50% in Q3, to 70% in Q4,” Coveware reports.

In Q3, companies that were hit not just by ransomware but with the threat of having their exfiltrated data leaked paid a ransom 75% of the time in Q3; that dropped to 60% in Q4.

Why the decline?

Coveware traces the decrease directly to data-stealing attackers not honoring their promises. “The trust that stolen data will be deleted is eroding; defaults are becoming more frequent when exfiltrated data is made public despite the victim paying,” it says. “As a result, fewer companies are giving in to cyber extortion when they are able to recover from backups.”

Another trend has been increased “big game hunting,” – taking down larger targets. Many gangs have found that for little additional effort, they can attack larger targets and demand much higher ransoms.

If victims do choose to pay a ransom, there are no guarantees. They may not get a working decryption tool, and when it does work, such software often cannot restore every file that was encrypted by the ransomware. The same gang – or another gang – may also attack them again, demanding an even higher ransom.

Paying for a promise that stolen data will be deleted is a roll of the dice. “The data may not be credibly destroyed by the threat actor. Victims should assume it might be traded, sold, misplaced or held for a second/future extortion attempt,” Coveware says. In addition, attackers may have been collaborating. Hence, even if one of them does delete stolen data, “other parties that had access to it may have made copies so that they can extort the victim in the future.”

Apparently, data exfiltration has been such a lucrative tactic that ransomware gangs increasingly claim to have stolen data, even when they have not, investigators say. That puts the burden on incident responders to validate what might have been stolen. To do that, organizations need to have in place strong logging and monitoring so they can identify what attackers accessed.

A tactic ransomware gangs like for gaining initial access to a victim’s network is targeting poorly secured remote desktop protocol connections. “RDP compromises remain a very common attack vector, with network credentials to brute-forced networks commonly for sale for as little as $50,” Coveware says.

While RDP was previously the top attack vector seen in incidents it investigated, Coveware says phishing has recently moved into the top spot, although both tactics are widely used.

A couple of quick reminders: Apply security patches in a timely way so you don’t have known vulnerabilities that expose you to danger – and use two-factor authentication – 2FA helps defeat attackers because even if they have the right login credentials, it’s much harder to exploit them.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson