HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Reveals Increase in Ransomware Attacks and 3x Hike in Ransom Demands

Ransomware attacks have continued to increase in Q2, 2019, according to a new report from ransomware recovery service provider Coveware. When businesses experience a ransomware attack, Coveware helps firms recover their data, either through free remediation options or by negotiating with the attackers.

Coveware studied anonymized data on ransomware attacks experienced by its clients and found that ransomware payments have increased by 184% during the second quarter of 2019. The average ransom payment in Q1 was $12,762. In Quarter 2, the average payment was $36,295.

In Q2, 2019, the most common method of attack was via RDP ports, which were the attack vector in 59.1% of ransomware attacks. Coveware notes that there has been a sharp quarter-over-quarter increase in email-based attacks, which accounted for 34.1% of incidents in Q2. Software vulnerabilities were exploited in 6.8% of attacks. The software vulnerabilities were exploited by the Sodinokibi ransomware threat actors, who used vulnerabilities in managed service provider (MSP) backend integrations (Webroot/Kaseya) to gain access to MSP systems and those of their clients.

There is naturally downtime following a ransomware attack regardless of whether the ransom is paid or files are restored from backups. The average duration of downtime increased from 7.3 days to 9.6 days in Q2.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

One of the main reasons for the increase in recovery time was an increase in attacks on MSPs. In addition to the attackers infecting the MSP, the ransomware was spread to all MSP clients through their remote connections to their clients’ systems. Such extensive attacks naturally take longer to resolve.

Coveware notes that there has been an increase in attacks by affiliates under the ransomware-as-a-service model. Many ransomware developers run their own campaigns like a military operation and communicate quickly with victims. Affiliates tend to be more disorganized, which can cause problems during negotiations and can cause issues when trying to decrypt data. That inevitably leads to a delay in recovery. The threat actors behind the Ryuk ransomware attacks sent a viable decryptor within 3 hours of the ransom being paid, and the Sodinokibi attackers similarly sent decryptors through quickly.

No one wants to pay someone that has just attacked their business, but many companies are left with little choice. If backups have not been made or data cannot otherwise be recovered, paying the ransom is the only option other major data loss.

The cost of recovery from a ransomware attack can be split into two parts. The first are the costs of mitigating the attack which include the cost of a forensic analysis, rebuilding servers and workstations, eradicating the ransomware, and file recovery. The ransom, if paid, is also a mitigation cost. Ransom payments were highest for Ryuk ransomware attacks. The average payment was $267,742.

All of those costs, including the ransom payment, come to a fraction of the total cost of recovery. The main cost is downtime. With systems out of action, productivity falls dramatically, and the business loses revenue opportunities. Coveware’s figures show that the losses due to downtime are between 5 and 10 times the cost of the ransom payment.

A quick recovery will keep the costs to a minimum, but payment of the ransom does not guarantee file recovery. Out of the clients that paid the ransom, 96% were able to decrypt their data. 4% paid the ransom and couldn’t recover their files.

Even if the decryptor works there is likely to be some data loss.  This happens when the encryption process is flawed and some files were only partially encrypted and corrupted or, in some cases, files are deleted during the encryption or recovery process. On average, file recovery using the decryptors resulted in 8% file loss and 13% file loss with Ryuk ransomware. Sodinokibi is a more polished ransomware variant and the recovery rate was close to 100%.

Ryuk ransomware was used in 23.9% of attacks, Phobos in 17% of attacks, Dharma in 13.6% of attacks, and Sodinokibi in 12.5% of attacks.  Ryuk ransomware attacks were mostly on medium to large organizations with an average of 3,187 employees. Sodinokibi ransomware attacks were mostly on small MSPs, with an average of 79 employees.

Attacks on large organizations are increasing. In Q1, breached firms had an average of 141 employees. The average jumped to 925 employees in Q2.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.