Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Average Ransom Payment Hits $322,168 in Q4 2021

February 23, 2022

Cybersecurity firm Coveware released in early February its 2021 4th quarter report on ransomware. To no one’s surprise, there was a sharp rise in the average ransom payment. It was $322,168, up from $117,116 in the 3rd quarter.

Conclusion? There was a tactical shift toward extorting companies that could pay a fairly large ransom amount but small enough to keep operating costs and media and law enforcement attention low. If you had 1,000-10,000 employees, you went from being 8% of those attacked in Q3 to 14% in Q4.

Asked about the Colonial Pipeline attack, a LockBit2.0 affiliate was quoted as saying, “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies . . . “

84% of ransomware attacks in Q4 included data exfiltration.

Be careful. As the report notes, some ransomware groups provide no proof of data exfiltration and fail to provide proof of deletion of logs of stolen date when they are paid. Some groups were paid not to post to their leak site – but they did so anyway. At least one group had affiliates leave and take copies of stolen data with them. They could then extort the victim a second time. One group provided victims proof of exfiltrated files that belonged to another company entirely.

Safe custody of stolen data is not top of mind for these attackers!

The average case duration in Q4 2021 was 20 Days (-9% from Q3 2021). This decrease is attributable to an increase in the number of companies that were able to recover from backups, which is always faster than attempting to decrypt data with an attacker’s decryption key. The cost of business interruption remains the most serious cost to organizations hit by ransomware.

As the report notes, 2021 will be seen as a red-letter year in the evolution of the fight against cyber extortion.  Positive developments:

  • The Biden Administration’s executive orders to implement zero trust are hardening US government agencies security and the vendors that support them.
  • The Colonial Pipeline incident is still very much on the minds of enterprise CEOs, driving a renewed push for better security and better incident preparedness.
  • The cyber insurance renewal process is mandating better security and continuity to maintain policies. These three factors have raised awareness and hardened corporate environments, making attacks more expensive for ransomware actors.
  • The fourth factor was that the number of law enforcement takedowns, seizures and arrests spiked in Q3 and Q4, and the momentum carried through into 2022. Most notable was the arrest by Russian authorities of alleged members of REvil. This was an unprecedented action for the Russian government to take. This has no doubt decreased the market of cyber criminals willing to execute these attacks. Many are not willing to risk jail time or western extradition.

These four factors MAY mean that the volume of attacks will decrease – but I wouldn’t bet the mortgage money on that quite yet.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson