[BreachExchange] Ransom payments averaging $41,000 per incident

Wed Nov 13 10:09:17 EST 2019

https://www.scmagazine.com/home/security-news/ransomware/ransom-payments-averaging-41000-per-incident/

The average ransom payment paid out by victims increased 13 percent,
to $41,000, during the last three months, but researchers noted the
rate of increase has plateaued.

Researchers at Coveware credited the victims with being better
prepared to restore their data on their own negating the need to pay
the ransom. However, that was not enough to offset malicious actors
using Sodinokibi and Globelmposter variants to go after big-game
targets, like managed service providers and large enterprises, that
potentially offer massive payouts.

And in many cases the payouts were excessive with Coveware noting that
daily ransom payment amounts surpassed $100,000 on many occasions
during the third quarter. The ransom amount peaked in mid-August at
more than $150,000 and then dropped averaging well under $50,000 for
the remainder of that month and September.

One of the primary reasons for not paying a ransom is that there is no
guarantee the attacker will deliver an effective decryptor key.
However, Coveware found that line of thought to be incorrect with 98
percent of those who paid the ransom receiving a good key that
restored at least 94 percent of their data. There was one caveat with
this data point, the threat actors behind Rapid and Dharma ransomware
are known to default and not deliver a key after payment is made.

The amount of down time an organization suffered due to an attack also
increased averaging 12.1 days, up from 9.6 days during the previous
quarter.

“The increase in downtime was primarily driven by the increased number
of successful attacks against larger enterprises. Larger enterprises
have more complex networks and restoring data via backups or
decryption takes longer than restoring the network of a small
business,” Coveware reported.

During the third quarter the well-established Ryuk, Sodinokibi and
Phobos were the three most common ransomware types in use but a new
crop of malware, Snatch, Estemani, Hidden Tear and Netwalker, were
being pushed.

Threat actors also focused on the public sector during this time with
13 percent of all attacks hitting these targets, up from three percent
during the second quarter.

“No other sector experienced a change of such magnitude, and the
attention that both federal and state lawmakers are paying to the
problem is warranted. Until these organizations are able to right-size
their IT security budgets and IT headcount, these attacks will
certainly continue,” Coveware wrote.