Ride the Lightning

Average Ransomware Demand Now Over $80,000 – and Honor Among Thieves?

February 3, 2020

My ransomware post from last week is already obsolete. That's how fast there are developments in the scourge known as ransomware. A recent Bitdefender post included two really remarkable statistics from a study published by cybersecurity company Coveware, which specializes in ransomware recovery.

In 2019, companies observed a change in how criminals deploy and use ransomware, as it becomes more targeted, and sensitive data is stolen and used for blackmail. This immediately translated to a larger average ransom payment for ransomware-related incidents, which spiked by 104% in Q4 of 2019, to $84,116, up from $41,198 in Q3. $84,116? That is an extraordinary amount – and boy oh boy did this happen fast!

The new study attributes the shift in ransomware attacks to changes in how ransomware variants Ryuk and Sodinokibi are deployed online, more recently in the enterprise space, with a focus on larger companies. Ransom demands even reached a new record high of $780,000.

Another interesting metric that the study revealed has to do with the payment success rate, which is now 98%. Remember when the odds were roughly 50-50 that you would receive the decryption key? Things have changed – and the motivation is obviously to prove that there is honor among thieves so that ransomware victims will feel (relatively) safe in paying the ransoms.

The attack vector was also covered in the study, showing stolen or leaked RDP credentials (Remote Desktop Protocol) were used in 57.4% of cases, followed by email phishing, at 26.3%. It seems that the best way to protect a company against ransomware attacks is to secure the RDP credentials as well as possible, along with measures such as implementation of a powerful security solution that works organization wide.

Another fascinating stat from the study? Bitcoin is used 99% of the time to make ransomware payments. It simply is the cryptocurrency that most people know – and it lowers the barrier to payment of the ransom. I would wage that a lot of larger companies are amassing a bitcoin stash as an insurance policy against a successful ransomware attack that they cannot easily recover from.

And one more stat: In Q4 of 2019, the average downtime due to ransomware increased to 16.2 days, from 12.1 days in Q3 of 2019. The increase in downtime was driven by a higher prevalence of attacks against larger enterprises, who often spend weeks fully remediating and restoring their systems. Some ransomware distributors have evolved their attacks to make them even more pervasive. In Q4, Ryuk actors began using a "Wake-on-Lan" feature to turn on devices within a compromised network that were initially powered off. This greatly magnifies the impact of the attack. Ransomware is typically detonated during the night or early morning hours when oversight from security admins is limited. Infiltration during off-peak hours means that most machines are not running as the workday is over and most employees are gone. This feature turns their machines back on so that the number of encrypted endpoints is maximized. Lovely, huh?

The developments in ransomware have been fast and furious. Who knows what next week will hold?

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson