Ransomware: Average Ransom Payment Drops to $137,000Fewer Victims Paying Attackers Simply to Delete Stolen Data, Coveware Reports
Good news on the ransomware front: The average ransom paid by a victim dropped by 38% in the second quarter of this year, compared to the first quarter, reaching $136,576.
See Also: Creating a Culture of Security
So reports ransomware incident response firm Coveware, based on thousands of cases it investigated. The median ransom payment paid by victims also decreased by 40% in the second quarter to reach $47,008.
"For a single ransomware attack to run full cycle, there may be over a dozen unique actors, each with a different specialized skill set that contribute to different stages of the attack."
Coveware traces the decline in the average amount victims are paying to a reduction in the quantity of attacks by some ransomware operations, such as Ryuk and Clop, that are known for demanding ransoms worth big bucks. In addition, the firm says there has been an influx of new players targeting relatively smaller organizations and demanding correspondingly lower ransom amounts.
In Q2, Coveware says the most prevalent strain of ransomware tied to attacks it investigated was Sodinokibi, aka REvil, followed by Conti v2, Avaddon, Mespinoza and Hello Kitty. All of the gangs behind those strains function as ransomware-as-a-service operations, meaning operators maintain a portal where affiliates can download their crypto-locking malware and use it to infect victims. Whenever a victim pays a ransom, the operator and affiliate share in the profits.
Double Extortion Loses Luster
Another welcome finding from Coveware's research is that the tactic of threatening to leak exfiltrated stolen data, to better force victims to pay, appears to be losing some of its efficacy. This tactic was introduced by the now-defunct Maze gang in late 2019. It really caught on last year, with a majority of ransomware-wielding attackers claiming to have stolen data.
Using stolen data, many attackers practice so-called double extortion, meaning they demand a ransom payment if a victim wants a decryptor to restore access to forcibly encrypted files - for example, if they cannot restore from backup, or cannot do so quickly. Attackers then demand a separate ransom payment if a victim wants a promise that all stolen data will get deleted, rather than being leaked or auctioned. Victims who want to pay for both options, meanwhile, may get a "special rate."
Attackers have continued to double down on actual or claimed data exfiltration. From Q1 to Q2, the number of attacks that included a threat to leak stolen data increased from 76% to 81%, Coveware reports.
Thankfully, however, fewer victims are paying their attackers for a promise to delete stolen data. Last year, Coveware says nearly 65% of all victims that only faced the threat of a data leak - meaning they did not need to pay a ransom in return for the promise of a decryption tool - still paid attackers. But from April to June of this year, only half of victims in the same situation opted to pay, it says.
As always, attackers tend to demand payment in either bitcoin or monero cryptocurrency, and they sometimes offer a discount for using the latter because it's more privacy-preserving and difficult for law enforcement agencies to trace.
Initial Access: RDP and Phishing Still Rule
How are attackers getting in? Historically, the top attack techniques for gaining an initial foothold in networks have been phishing attacks and brute-forcing remote desktop protocol credentials, with exploiting software vulnerabilities coming a distant third; Coveware reports that those trends continue to hold.
"Some of the most heavily trafficked software vulnerabilities exploited for access by ransomware actors in Q2 were unpatched VPN and firewall appliances, including Fortinet (CVE-2018-13379) and SonicWall (CVE-2019-7481)," it says.
Operations Upscale to Hit Larger Targets
Some ransomware organizations - including REvil and Ryuk - continued to practice big game hunting to obtain larger individual ransom payments.
To achieve this, these ransomware operations have been recruiting more specialists to help them take down larger targets that may have better security. Specialists also help to reliably encrypt and decrypt large quantities of data - so paying victims get what they paid for - as well as handle what attackers call negotiations and what victims would probably more accurately categorize as extortionists' shakedowns.
"For a single ransomware attack to run full cycle, there may be over a dozen unique actors, each with a different specialized skill set that contribute to different stages of the attack," Coveware says. "When it appears a ransomware group is focusing on a specific method of ingress, it is probable that they have just found a specialist that is upstream of them and is selling network access to future victims that fit the profile of the RaaS group. Oftentimes, these upstream specialists are selling this access more than once, creating competition to impact the network before a competitor does."
Smaller Businesses at Bigger Risk
While big game hunting remains a top tactic for more advanced ransomware operations, Coveware notes that more than three-quarters of all attacks affect organizations with fewer than 1,000 employees.
"These firms are much less likely to have the budget to implement the bare minimum protections necessary to keep them safe from ransomware attacks," it says. "More so than large enterprises, small businesses may outsource IT entirely to third-party providers and inadvertently create a vulnerable entry point if the methods the vendor is using to manage the company are not airtight and routinely audited."
Top Defense: Multifactor Authentication
For organizations that want to better defend against ransomware, one question executives should be asking security teams is whether all administrator accounts for Active Directory are secured using mobile app-based multifactor authentication. Especially for larger businesses, everything an attacker does - gaining access to a network, moving laterally - is typically a prelude to taking control of Active Directory, which they can use to distribute crypto-locking malware throughout an organization.
"Coveware has yet to witness a ransomware attack where domain administrator credentials were compromised after multifactor authentication - mobile, not token-based - was overcome," it says.
Other defenses can also block or delay attacks and aren't expensive to implement. For example, "simple configurations, such as disabling the ability for user machines to run command-line and scripting activities, can prevent privilege escalation and lateral movement," Coveware says.
Groups Likely to Re-Form
Reflecting how quickly the ransomware landscape can change, two of the Q2 most-seen ransomware-as-a-service operations now appear to have disappeared. In June, the Avaddon group called it quits, releasing a complete set of decryption keys for victims, with experts noting that fear of prosecution appears to have driven its exit.
The REvil operation has also gone quiet since unleashing a July 2 attack via IT remote management software built by Kaseya, allowing it to infect an estimated 60 managed service provider customers and up to 1,500 of their clients. Subsequently, REvil's infrastructure went dark, and three weeks after the attack, Kaseya announced it had obtained a working decryptor it was using to restore all victims' files. The company has not said if it paid a ransom to REvil, which had been demanding tens of millions of dollars (see: Has REvil Disbanded? White House Says It Doesn't Know).
While the fate of REvil remains unclear, the operation appeared to have been spun off from another ransomware-as-a-service operation called GandCrab just prior to its retirement in mid-2019, when it claimed affiliates had earned $2 billion. Coveware notes that many affiliates moved to REvil, and even if the operation bearing that name disappears, "we do not expect this group to remain on the bench for long." Its "close-knit group of affiliates" likely haven't closed up shop either, it adds, noting that these "affiliates have likely already found new RaaS operations to leverage in their attacks."