Euro Security Watch with Mathew J. Schwartz

Cybercrime , Cybercrime as-a-service , Encryption & Key Management

Ransomware: Average Ransom Payment Declines to $154,108

As Gangs Fail to Honor Data Deletion Promises, Fewer Victims Paying, Coveware Finds
Ransomware: Average Ransom Payment Declines to $154,108
Average and median ransom payments made by victims based on thousands of cases investigated per quarter by Coveware

Good news: While ransomware attacks continue to pummel organizations, fewer victims have been paying a ransom, and when they do, on average they're paying less than before.

See Also: AI-Driven Strategies for Effective Cyber Incident Recovery

That's the assessment from ransomware incident response firm Coveware, based on thousands of ransomware cases that it helped investigate from October to December of last year.

From Q3 to Q4 last year, the average ransom payment declined by 34%, reaching $154,108, while the median ransom payment dropped by 55% to $49,450.

That's a big change from what had been a monthslong increase in the number of ransoms and the amount being paid, driven by attackers increasingly stealing data and threatening to leak it online to better pressure victims into paying.

The most common type of ransomware tied to successful attacks that Coveware investigated in Q4 2020 was Sodinokibi, aka REvil, which accounted for nearly one-fifth of all cases. Other top strains were Egregor - the apparent successor to Maze - followed by Ryuk, NetWalker, Maze, Conti and DopplePaymer.

Source: Coveware, Q4 2020

Since then, Maze has apparently retired, while the NetWalker gang was disrupted by police.

Data-Leaking Sites Drive Profit Boom

The explosion in gangs wielding data-leaking sites, via which victims can be named and shamed and extracts of stolen data leaked, had been driving many more victims to pay. Some gangs also began charging extra to delete stolen data, even if victims didn't need to pay a ransom in return for a decryption tool - for example, if they could simply restore from backups.

Any time an innovative new tactic helps generate better profits, other gangs typically follow suit. So it's no surprise that last year, "the percentage of ransomware attacks that involved the threat to release stolen data increased from 50% in Q3, to 70% in Q4," Coveware reports.

But in the same time frame, companies that were hit not just by ransomware but with the threat of having their exfiltrated data leaked paid a ransom 75% of the time in Q3; that dropped to 60% in Q4.

False Promises Cost Profits

What's behind the decline in the number of victims willing to pay a ransom, even when threatened with data leaking?

Coveware traces the decrease directly to data-stealing attackers failing to honor their promises. "The trust that stolen data will be deleted is eroding; defaults are becoming more frequent when exfiltrated data is made public despite the victim paying," it says. "As a result, fewer companies are giving in to cyber extortion when they are able to recover from backups."

That is good news, because the recent surge in ransomware, backed by data exfiltration, all comes down to one thing: criminals' relentless pursuit of profits, preferably via the easiest, safest and most reliable means possible.

Median size of organizations - in number of employees - hit by ransomware (Source: Coveware)

A corollary trend, especially practiced by larger and more sophisticated gangs and ransomware-as-a-service campaigns, has been increased "big game hunting," referring to taking down larger targets. Many gangs have found that for scant additional effort, they can focus on larger targets and demand much higher ransoms.

Preparation Pays

Law enforcement agencies and security experts continue to urge victims to never pay a ransom because it continues to validate this illicit business model for criminals.

If victims do choose to pay, there are no guarantees. They may not get a working decryption tool, and when it does work, such software often cannot restore every file that was forcibly encrypted by the ransomware. The same gang - or another gang - may also attack them again, demanding an even higher ransom.

Paying for a promise that stolen data will be deleted is also a fool's errand. "The data may not be credibly destroyed by the threat actor. Victims should assume it might be traded, sold, misplaced or held for a second/future extortion attempt," Coveware says. In addition, attackers may have been collaborating. Hence, even if one of them does delete stolen data, "other parties that had access to it may have made copies so that they can extort the victim in the future."

More Hackers Claim to Steal Data

Apparently, data exfiltration has been such a lucrative tactic that ransomware gangs increasingly claim to have stolen data, even when they have not, investigators say. That puts the onus on incident responders to validate precisely what might have been stolen. To do that, organizations need to have in place - before they get attacked - robust logging and monitoring so they can identify what attackers touched.

Ideally, of course, organizations should also have robust defenses in place to better ensure they never fall victim.

Phishing Nudges Out RDP Access

For honing defenses, a tactic ransomware gangs favor for gaining initial access to a victim's network is targeting poorly secured remote desktop protocol connections.

Source: Coveware

"RDP compromises remain a very common attack vector, with network credentials to brute-forced networks commonly for sale for as little as $50," Coveware says.

While RDP was previously the top attack vector seen in incidents it investigated, Coveware says phishing has recently moved into the top spot, although both tactics remain widely used.

Phishing was the most common delivery mechanism for the pervasive Trickbot and Emotet malware, which often then installed ransomware, including Ryuk. Such phishing attacks more often involve worm capabilities, enabling attackers to more easily gain a foothold on multiple systems, Coveware notes.

Following the recent Emotet takedown, however, it's possible that RDP will again become the most-used technique.

Of course, attackers don't care what they use, provided it delivers results. Cybercrime, after all, remains a business.

'Uptick in Haphazard Data Destruction'

So, it's surprising to note this trend also spotted by Coveware: There's been an increase in reports from victims who have had systems get irrevocably wiped, without any potential for obtaining a decryption tool to restore them. That's unusual because there's no way for attackers to monetize such a scenario. And victims have no option to pay and perhaps get some of their data back.

"The uptick in haphazard data destruction has led some victims to suffer significant data loss and extended business interruption as they struggle to rebuild systems from scratch," Coveware says. "It remains unclear whether these events have been outliers or a symptom of less experienced bad actors handling the attack execution."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.