A newly-published report from the ransomware incident response outfit Coveware indicates that payments completed by ransomware victims grew noticeably during Q4, 2019. The average ransomware payment grew by 200% during Q4, as two of the most prolific ransomware groups – Sodinokibi and Ryuk – moved their attention to focusing on large enterprises. In Q3, 2019 the average ransom payment was $41,198. In Q4, that figure jumped to $84,116, with a median payment of $41,179.
The huge increase in ransom amounts is largely due to changing tactics of the two main ransomware gangs, Ryuk in particular. Ryuk is now heavily focused on attacking large enterprises. The average number of staff members at victim companies grew from 1,075 in Q3 to 1,686 in Q4. The greatest ransom amount was $779,855.5 in Q4; a considerable jump from the greatest demand of $377,027 in Q3.
In Q4, the greatest ransomware attacks were Sodinokibi (29.4%), Ryuk (21.5%), Phobos (10.7%), Dharma (9.3%), DoppelPaymer (6.1%), and NetWalker (5.1%). 10.7% of attacks involved the Rapid, Snatch, IEncrypt or GlobeImposter ransomware strains.
A lot of the above ransomware variants are spread using the ransomware-as-a-service model, where affiliates can register for and use the ransomware and retain a cut of the ransom payments. The more complex gangs are cautious about who they accept as affiliates whereas some of the less well known ransomware gangs let anyone register for. Only a small number of affiliates are used to distribute Sodinokibi, with some specializing in different sorts of attack. One Sodinokibi affiliate has in depth knowledge of remote monitoring and management tools and specializes in attacks on managed service suppliers.
Ransomware is often sent due to brute forcing weak RDP credentials or purchasing stolen RDP credentials. This tactic is deployed in over 50% of successful ransomware attacks, followed by phishing (26%) and the exploitation of software flaws (13%).
Coveware stated in its report that 98% of victims who paid the ransom were given valid keys and were able to decrypt their files. The probability of success can differ greatly depending on the variant of ransomware involved. Some threat actors are known for defaulting and often do not hand over valid keys, even after the ransom is met. Threat groups linked with Rapid, Mr. Dec, and Phobos ransomware were labelled as being consistent defaulters. Those threat groups were also less picky and tended to work with any affiliate.
Even when valid decryptors are handed over, some data lost can be expected. Out of the firms Coveware helped rescue data, on average, 97% of files were recovered. An average of 3% of files were permanently lost as files were corrupted during the encryption/decryption process. More complex hackers, such as the Ryuk and Sodinokibi threat actors, tend to be more careful encrypting data to ensure file recovery is possible and their reputation is not harmed.
The average downtime from a ransomware attack increased from 12.1 days in Q3, 2019 to 16.2 days in Q4. This is mainly due to a spike in attacks on large enterprises, which have complex systems that take much longer to bring back online.
The figures for the report only take into account ransomware victims that have used Coveware to negotiate with the hackers and assist with recovery. Many companies chose to deal with their hackers directly or use other ransomware recovery companies.