Average Ransomware Payment Increased Sharply in Q4, 2019

Share this article on:

A new report from the ransomware incident response firm Coveware shows payments made by ransomware victims increased sharply in Q4, 2019. The average ransomware payment doubled in Q4, as two of the most prolific ransomware gangs – Sodinokibi and Ryuk – shifted their attention to attacking large enterprises. In Q3, 2019 the average ransom payment was $41,198. In Q4, that figure jumped to $84,116, with a median payment of $41,179.

The large increase in ransom amounts is largely due to changing tactics of the two main ransomware gangs, Ryuk especially. Ryuk is now heavily focused on attacking large enterprises. The average number of employees at victim companies increased from 1,075 in Q3 to 1,686 in Q4. The largest ransom amount was $779,855.5 in Q4; a considerable jump from the largest demand of $377,027 in Q3.

In Q4, the most prevalent ransomware threats were Sodinokibi (29.4%), Ryuk (21.5%), Phobos (10.7%), Dharma (9.3%), DoppelPaymer (6.1%), and NetWalker (5.1%). 10.7% of attacks involved the Rapid, Snatch, IEncrypt or GlobeImposter ransomware variants.

Many of the above ransomware variants are distributed under the ransomware-as-a-service model, where affiliates can sign up and use the ransomware and retain a cut of the ransom payments. The more sophisticated gangs are cautious about who they accept as affiliates whereas some of the smaller ransomware gangs let anyone sign up. Only a handful of affiliates are used to distribute Sodinokibi, with some specializing in different types of attack. One Sodinokibi affiliate has extensive knowledge of remote monitoring and management tools and specializes in attacks on managed service providers.

Ransomware is mostly delivered as a result of brute forcing weak RDP credentials or purchasing stolen RDP credentials. This tactic is used in more than 50% of successful ransomware attacks, followed by phishing (26%) and the exploitation of software vulnerabilities (13%).

Coveware explained in its report that 98% of victims who paid the ransom were supplied with valid keys and were able to decrypt their files. The probability of success can vary greatly depending on the variant of ransomware involved. Some threat actors are known for defaulting and often do not supply valid keys, even after the ransom is paid. Threat groups associated with Rapid, Mr. Dec, and Phobos ransomware were named as being consistent defaulters. Those threat groups were also less selective and tended to work with any affiliate.

Even when valid decryptors are supplied, some data lost can be expected. Out of the companies Coveware helped recover data, on average, 97% of files were recovered. An average of 3% of files were permanently lost as files were corrupted during the encryption/decryption process. More sophisticated attackers, such as the Ryuk and Sodinokibi threat actors, tend to be more careful encrypting data to ensure file recovery is possible and their reputation is not damaged.

The average downtime from a ransomware attack increased from 12.1 days in Q3, 2019 to 16.2 days in Q4. This is largely due to an increase in attacks on large enterprises, which have complex systems that take much longer to restore.

The figures for the report naturally only include ransomware victims that have used Coveware to negotiate with the attackers and assist with recovery. Many firms chose to deal with their attackers directly or use other ransomware recovery firms.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On