As expected, ransomware attackers capitalized on the the coronavirus (Covid-19) pandemic, bumping the average enterprise ransom payment in Q1, 2020 to $111,605, a 33 percent spike from the prior quarter, a new Coveware report said.
Of note, in late December, 2019 a Sodinokibi ransomware attack spread from an upstate New York hosting provider and manager service provider (MSP) to an airport’s IT systems. Sodinokibi malware has also hit MSPs and cloud service providers (CSPs), including CyrusOne, PerCSoft, and Synoptek.
It’s the seventh straight quarter that system hijackers have reaped more money than the previous period and signals a move toward extorting large enterprises gaining steam, according to Coveware’s calculations. While large enterprise ransom payments are the minority by volume, it’s the size of the payments that drove the average ransom haul higher, Coveware said.
For the quarter, the median ransom payment was $44,021, up roughly 10 percent from the $41,179 in Q4 2019. By comparison, the average ransom payment in Q4, 2019, increased by 104 percent to $84,116, up from $41,198 from Q3, 2019 and exceeding any quarterly rise since Q3, 2018.
Here are 10 of the report’s key findings for Q1, 2020:
- Ransomware attack type market share: Sodinokibi 26.7%%, Ryuk 19.6%, Phobos 7.8%. The share of all three remained the same as in the previous period. Mamba ransomware increased by 4% in Q1 to 4.8%.
- Ransomware attack vectors: Poorly secured Remote Desktop Protocol (RDP) access points continued to be the most common attack vector in the last two quarters. RDP compromise remained at about 60% while email phishing rose slightly to about 26% and software vulnerability dipped marginally to roughly 10%.
- Top 3 favorite attack vectors: Phobos relies 100% on RDP, Ryuk more than 90% on email spear phishing and Sodinokibi 50% on RDP and a bit less than 40% on software vulnerability.
- Size of victim company: Phobos successfully attacked a few larger enterprises while the Ryuk groups moved slightly down market. Sodinokibi shifted from small MSPs to large enterprises to take advantage of VPN vulnerabilities.
- Average ransom payment: The average ransom payment for a Ryuk hit climbed to $1.4 million in Q1, 2020 from $780,000 in the prior quarter. Sodinokibi rocketed 369 percent to $328,000 during the period while Phobos moved up slightly to $15,761.
- Companies targeted by ransomware: Law firms, MSPs, accountants and other professional services organizations remained the largest industry subset targeted by ransomware in Q1, 2020. Public sector entities were 12% of attacks in Q1 with schools at nearly 50% of that number.
- Average size of companies targeted by ransomware: Ransomware is mostly a small business problem. The average number of employees of companies hit was 625 in Q1, a 2.5% rise from Q4, 2019. The high point was in Q2, 2019 at about 900 employees. The median company size victimized was 62 employees for Q1, 2020.
- Decryption tools: The payment success rate was 99%, down 1% from Q4,2019. Coveware acknowledged that the rate may have been swayed by its success in engaging with threat actors and that it does not work with individuals. The average data recovery rate was 96%, down 1% from Q4, 2019.
- Average downtime from ransomware attack: The average days of downtime was 15, down 7% from Q4, 2019.
- Cryptocurrencies used to pay ransoms: Bitcoin was 99% of cryptocurrency used to pay ransoms, flat from the previous quarter.
Coveware’s methodology uses an aggregation of anonymous ransomware data from cases handled and resolved by its incident response team and other incident response firms that use its platform. Rather than employ data compiled from a survey, information for the report comes from a standardized set of data collected from every case. Despite the rising ransom payment numbers in Q1, 2020, Coveware strongly recommends that companies crippled by a ransomware attack not pay the cyber kidnapper to retrieve their data and unfreeze their systems. The data, according to Coveware, whose platform helps companies victimized by cyber extortionists successfully negotiate for a lower ransom and a working decryptor tool, overwhelming points to yes.