Share this article on:
Ransomware is still one of the biggest cybersecurity threats faced by healthcare organizations. Not only have the attacks increased, ransom demands have increased.
A new analysis by ransomware remediation and incident response firm Coveware has revealed the average ransom payment has increased by 13% to $41,198 in Q3, 2019, which is six times as much as in December 2018. Many companies have to pay considerably more. The attackers using Ryuk ransomware tend to demand payments of hundreds of thousands of dollars. Ryuk ransom payments between Q2 and Q3, 2019 ranged from $267,742 to $377,026. Ransom demands issued to large enterprises are often over $1 million.
While no industry is immune to ransomware attacks, they tend to be concentrated on certain industries where there is a higher than average chance of the ransom being paid. The most targeted industry sectors are professional services (18.3%), the public sector (13.3%), healthcare (12.8%), software services (11.7%), and the retailers (8.3%).
There has also been an increase in attacks on managed service providers. These attacks tend to require greater effort on the part of the attackers, but the potential rewards are considerable. A successful attack on an MSP can give the attackers access to the systems of all their clients. The threat actors using Sodinokibi and Globelmposter ransomware variants have been targeting MSPs and large enterprises, and large enterprises are commonly attacked by the threat actors using Netwalker, Hidden Tear, and Snatch ransomware variants.
While Coveware has not released information on the number of clients that have paid ransom demands, Coveware CEO Bill Siegel said the number is in the high hundreds.
The tactics used by cybercriminals to spread malware is constantly changing, and ransomware attacks are no different. Coveware’s report shows there has been a marked shift in how attacks are conducted and tactics have become far more sophisticated. When ransomware became popular with cybercriminals, the attacks were largely automated and random. Attacks then started to become more targeted on businesses, and now threat actors are adopting tactics most commonly associated with nation-state threat actors.
Coveware’s clients were most commonly attacked using stolen RDP credentials (50.6%). Phishing is also a common method of attack and was used to attack 39% of clients. In 8.1% of attacks, a software vulnerability was exploited to gain access to the network to deploy ransomware.
It is naturally in the best interests of ransomware developers to ensure that victims’ files can be recovered, as if word spreads that payment is pointless, no further payments would be made. However, payment of a ransom is no guarantee that files will be recovered. According to Coveware, 98% of clients that paid the ransom were supplied with working keys to decrypt data, although on average, they only allowed around 94% of data to be recovered.
The attackers using Dharma and Rapid ransomware variants often do not supply viable keys to unlock files after the ransom is paid and the encryption code used in Mr. Dec ransomware is poorly written and decryptors only work around 30% of the time.
Payment of a ransom is not always necessary, as free decryptors are available to unlock files through the No More Ransom project, although they do not work on the most commonly used ransom variants, which in quarter 3 were Ryuk (22.2%), Sodinokibi (21.1%), and Phobos (19.9%).
Files can also be recovered from backups, but in many cases up-to-date backups do not exist, backups are corrupted and file recovery is not possible, or they too are encrypted in the attacks.