Noticeable Increase in Average Ransomware Payment During Q4, 2019

by | Feb 4, 2020

A newly-published report from the ransomware incident response outfit Coveware indicates that payments completed by ransomware victims grew noticeably during Q4, 2019. The average ransomware payment grew by 200% during Q4, as two of the most prolific ransomware groups – Sodinokibi and Ryuk – moved their attention to focusing on large enterprises. In Q3, 2019 the average ransom payment was $41,198. In Q4, that figure jumped to $84,116, with a median payment of $41,179.

The huge increase in ransom amounts is largely due to changing tactics of the two main ransomware gangs, Ryuk in particular. Ryuk is now heavily focused on attacking large enterprises. The average number of staff members at victim companies grew from 1,075 in Q3 to 1,686 in Q4. The greatest ransom amount was $779,855.5 in Q4; a considerable jump from the greatest demand of $377,027 in Q3.

In Q4, the greatest ransomware attacks were Sodinokibi (29.4%), Ryuk (21.5%), Phobos (10.7%), Dharma (9.3%), DoppelPaymer (6.1%), and NetWalker (5.1%). 10.7% of attacks involved the Rapid, Snatch, IEncrypt or GlobeImposter ransomware strains.

A lot of the above ransomware variants are spread using the ransomware-as-a-service model, where affiliates can register for and use the ransomware and retain a cut of the ransom payments. The more complex gangs are cautious about who they accept as affiliates whereas some of the less well known ransomware gangs let anyone register for. Only a small number of affiliates are used to distribute Sodinokibi, with some specializing in different sorts of attack. One Sodinokibi affiliate has in depth knowledge of remote monitoring and management tools and specializes in attacks on managed service suppliers.

Ransomware is often sent due to brute forcing weak RDP credentials or purchasing stolen RDP credentials. This tactic is deployed in over 50% of successful ransomware attacks, followed by phishing (26%) and the exploitation of software flaws (13%).

Coveware stated in its report that 98% of victims who paid the ransom were given valid keys and were able to decrypt their files. The probability of success can differ greatly depending on the variant of ransomware involved. Some threat actors are known for defaulting and often do not hand over valid keys, even after the ransom is met. Threat groups linked with Rapid, Mr. Dec, and Phobos ransomware were labelled as being consistent defaulters. Those threat groups were also less picky and tended to work with any affiliate.

Even when valid decryptors are handed over, some data lost can be expected. Out of the firms Coveware helped rescue data, on average, 97% of files were recovered. An average of 3% of files were permanently lost as files were corrupted during the encryption/decryption process. More complex hackers, such as the Ryuk and Sodinokibi threat actors, tend to be more careful encrypting data to ensure file recovery is possible and their reputation is not harmed.

The average downtime from a ransomware attack increased from 12.1 days in Q3, 2019 to 16.2 days in Q4. This is mainly due to a spike in attacks on large enterprises, which have complex systems that take much longer to bring back online.

The figures for the report only take into account ransomware victims that have used Coveware to negotiate with the hackers and assist with recovery. Many companies chose to deal with their hackers directly or use other ransomware recovery companies.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy