Ransomware Attacks and Ransom Payments Increased According to Coveware Study

There are more ransomware attacks in quarter 2 of 2019, based on the new report by Coveware. Coveware is a service provider offering ransomware recovery. The company helps businesses retrieve their data in case of a ransomware attack. The method employed for data recovery may be via free remediation or via agreement with the attackers.

Coveware reviewed anonymized data about the ransomware attacks suffered by its clients and noticed an increase of ransomware payments in Q2 of 2019 by 184%. Quarter 1’s average ransom payment was $12,762, while Quarter 2’s was $36,295.

In quarter 2 of 2019, ransomware attackers most frequently attacked via RDP ports, making up 59.1% of ransomware attacks. There was also a clear quarter-over-quarter surge in email-based attacks with 34.1% of Q2 cases. Attackers took advantage of software loopholes in 6.8% of ransomware attacks. The attackers behind the Sodinokibi ransomware threat exploited software flaws in managed service provider (MSP) backend integrations (Webroot/Kaseya) to infiltrate their own and their customers’ MSP systems.

Downtime typically comes after a ransomware attack regardless if the victims settled the ransom or retrieved the backup files. The length of average downtime in Q2 went up from 7.3 days to 9.6 days.

The primary reason for the longer downtime was the higher number of MSP attacks. Apart from the installation of malware on MSPs, the ransomware propagates to the customers’ MSP through the remote link to their customers’ networks. This kind of extensive attacks naturally require more time to resolve.

Coveware notes a growth in cyberattacks by affiliates by means of the ransomware-as-a-service model. Plenty of ransomware coders conduct their own campaigns and talk to the victims immediately. Affiliates appear to be much more disorganized, which can result in difficulties in negotiations and problems when trying to do data decryption. That usually causes delay in recovery. The threat actors behind the Ryuk ransomware attacks sent a decryptor within 3 hours after the ransom was paid, and the Sodinokibi attackers similarly gave decryptors right away.

Organizations don’t like to spend on ransom, however they have no other alternative. Without backups or recoverable data, then sending ransom payment is the sole option to prevent big data loss.

The ransomware attack’s recovery cost consist of two parts. The first works with the expenditures of mitigating the ransomware attack. It includes the charges for forensic analysis, restoration of servers and workstations, elimination of the ransomware, and recovery of files. Paying the ransom demand is like a mitigation cost also. The highest ransom payment asked by attackers amounting to $267,742 were associated with the Ryuk ransomware attacks.

The mitigation costs together with the ransom payment form are only a part of the entire recovery cost. The primary cost is downtime because work productivity drops drastically, and the business suffers from loss of income. Coveware’s report indicates a loss of 5 to 10 times the amount of ransom paid because of downtime.

A quick recovery will lessen the costs, however ransom payment doesn’t guarantee that files will be recovered. Only 96% of clients that paid ransom succeeded in decrypting information.

Despite the fact that the decryptor is genuine, some information would probably be lost because of a flawed encryption process. Some files may have been corrupted. From time to time, files are erased at the time of the encryption or the recovery process. Typically, 8% of files are lost during decryption; it was 13% with the Ryuk ransomware attack. Sodinokibi is a more advanced variant of ransomware because it’s possible to achieve 100% file recovery rate.

The ransomware variants have the following percentage usage: Ryuk ransomware, 23.9%; Phobos, 17%; Dharma, 13.6% and Sodinokibi, 12.5%.

Ryuk ransomware attackers target medium to large companies that have around 3,187 employees. Sodinokibi ransomware attackers largely target small MSPs that have around 79 employees.

Most attacks on large companies had an average of 141 employees in Q1, then it went up to an average of 925 employee in quarter 2.