Should companies crippled by a ransomware attack pay the cyber kidnapper to retrieve their data and unfreeze their systems? The data, according to Coveware, whose platform helps companies victimized by cyber extortionists successfully negotiate for a lower ransom and a working decryptor tool, overwhelming points to yes.
Coveware's Q4 Ransomware Marketplace report aggregates anonymized ransomware data from cases handled and resolved by Coveware’s Incident Response Team, and other incident response firms that use its platform. Rather than use data compiled from a survey, information for the report comes comes from a standardized set of data collected from every case.
Here are some of the report's key findings (via Coveware)...
- Average ransom payment: In Q4 of 2019, the average ransom payment increased by 104 percent to $84,116, up from $41,198 in Q3, 2019. The median ransomware payment in Q4 was $41,179.
- Data recovery: If the threat actor did not deliver the tool, then it is considered a default and will likely lead to a 0 percent data recovery rate. Files and servers can be damaged during or after the encryption process and this can affect data recovery rates even when a decryptor tool is delivered. In Q4, 2019, 98 percent of companies that paid the ransom received a working decryption tool, flat with Q3, 2019.
- Decryptors: In Q4, 2019, victims who paid for a decryptor successfully decrypted 97 percent of their encrypted data, a slight increase from Q3. The most prevalent types of ransomware such as Sodinokibi and Ryuk are being distributed by more sophisticated actors, who tend to be more careful in how they handle the encryption process.
- Ransomware downtime: In Q4, 2019, average downtime increased to 16.2 days, from 12.1 days in Q3 of 2019. The increase in downtime was driven by a higher prevalence of attacks against larger enterprises, which often spend weeks fully remediating and restoring their systems.
- Ransom payments: Bitcoin is used almost exclusively now in all forms of cyber extortion. Cyber criminals have realized that it is easier to swap extortion proceeds into a privacy coin after they collect than to require a victim to purchase a less liquid type of digital currency.
- Common types of ransomware: In Q4, 2019, Sodinokibi (ransomware-as-a-service) was the most prevalent type of ransomware by incident count. At least one Sodinokibi affiliate exploiting the remote monitoring and management (RMM) tools used by IT managed service providers (MSPs). Ryuk Ransomware was again the second most common type of ransomware. Phobos and Dharma also continue to be a steady portion of small enterprise ransomware attacks.
- Common ransomware attack vectors: The mass availability of Remote Desktop Protocol (RDP) credentials to corporate networks for as little as $30 per IP address has made carrying out a targeted attack extremely cost-effective for the attackers. For larger enterprises, email phishing continues to be the preferred method of initial compromise.
- Ransomware by attack vector: During Q4, 2019 the lower end ransomware-as-a-service variants such as Dharma and Phobos continued to exploit cheap and easy attack vectors like RDP. The more sophisticated groups like Sodinokibi also use RDP when available, but have also been observed exploiting more technically complex CVE’s, and using email phishing.
- Common ransomware types by attack vector: Ryuk attackers continue to leverage email phishing to gain an initial toe hold inside a network before escalating their privileges. Ryuk was also observed using a feature called Wake-on-LAN to turn on computers that were initially powered off to ensure widespread encryption.
- Victim company by number of employees: At the lower end of the market, widely available ransomware-as-a-service variants like Dharma/Phobos operated. On the other end of the market, Ryuk attacks continue to target large enterprises. Sodinokibi’s focus on MSPs results in large payouts, but relatively small victims sizes, as most companies that use MSPs are small enterprises with less than 200 employees.
- Ransomware by ransom amount: In Q4, 2019 Ryuk groups seemed to focus on only the largest enterprises. The average Sodinokibi ransom decreased dramatically as the affiliates failed to coerce large single payments from MSPs and settled for small individual payments from the end clients of the MSPs.
- Ransomware target industries: Professional services firms such as regional law firms, consulting firms and IT service providers make up the largest segment as an industry. Public sector organizations account for an elevated portion of ransomware attacks. Sodinokibi targeted specialized service providers within healthcare, and variants like Defray 777 focusing all their attacks on the industry. Of note, Maze publicly announced that they will not attack organizations where a disruption to patient care may cause the loss of life.
- Average company size targeted by ransomware: In Q4, 2019, the average company size decreased to 610 employees, down from 645 in Q3, 2019. The decrease reflects the higher preponderance of individual victims of Sodinokibi MSP-based attacks.