A new report from Coveware, a ransomware incident response company, has a new report that showed the sharp increase in payments made by ransomware victims in Q4 of 2019. There is a doubling of average ransomware payment in Q4 since two of the high profile ransomware gangs, Sodinokibi and Ryuk, began attacking big enterprises. The average ransom payment of $41,198 in Q3 of 2019 jumped to $84,116 in Q4.
The big increase in ransom demands is mostly because of the two ransomware gangs’ changing strategies. Ryuk is currently seriously targeting big enterprises. Victim companies have an average number of employees of 1,075 in Q3 and went up to 1,686 in Q4. The biggest ransom demand in Q4 was $779,855.5, which jumped from $377,027 in Q3.
In Q4, the frequency of ransomware attacks is as follows:
- 29.4% – Sodinokibi
- 21.5% – Ryuk
- 10.7% – Phobos
- 9.3% – Dharma
- 6.1% – DoppelPaymer
- 5.1% – NetWalker
- 10.7% – Snatch, Rapid, GlobeImposter or IEncrypt ransomware variants
The ransomware variants mentioned above are usually spread using the ransomware-as-a-service model, where affiliates could register and employ the ransomware and keep a percentage of the ransom payments. The more advanced gangs are careful in accepting affiliates while the smaller ransomware gangs accept any affiliate. Only a few affiliates are employed to send Sodinokibi, with a few focusing on various kinds of attacks. A Sodinokibi affiliate has extensive expertise in remote tracking and management tools and is an expert in attacking managed service providers.
Ransomware is generally installed by buying stolen RDP credentials or brute-forcing weak RDP credentials. This strategy is employed in over 50% of successful ransomware attacks. The next strategy is phishing (26%) and exploiting software vulnerabilities (13%).
Coveware discussed in the report that attackers give valid keys to 98% of victims who paid the ransom, thus allowing them to decrypt the files. The likelihood of success really relies upon the ransomware variant employed. Certain threat actors default after getting the ransom payment and do not give valid keys. Threat groups connected with the ransomware Phobos, Rapid, and Mr. Dec, were known as frequent defaulters, less picky and accepts any affiliate.
Even with valid decryptors, it is expected that there will some data loss. On average, 97% of the companies helped by Coveware were able to recover data. The 3% permanently lost files were corrupted at the time of data encryption/decryption. More advanced attackers like the Sodinokibi and Ryuk threat actors are usually more cautious in data encryption making sure that file recovery is achievable and their reputation isn’t ruined.
The average downtime after a ransomware attack were 12.1 days in Q3 of 2019 and 16.2 days in Q4. This is mainly because of the growth in attacks on big businesses that have sophisticated systems that take more time to bring back.
The statistics for the report normally only consist of ransomware victims that engaged Coveware’s services to make a deal with the attackers and help with recovery. A lot of companies opt to talk with the attackers themselves or employ alternative ransomware recovery companies.