Ransomware: Average Business Payout Surges to $111,605Coveware: Ryuk and Sodinokibi Largely Responsible for 33% Increase in Average Payments
The average ransom paid by victims to ransomware attackers reached $111,605 in the first quarter of this year, up 33% from the previous quarter, reports ransomware incident response firm Coveware. In addition, every attacker now typically demands a ransom payment only in bitcoins.
A new report from Coveware charting trends it saw in the first quarter among its clients found that 8.7% of the more than 1,000 ransomware cases the firm worked on involved attackers stealing data from an organization and threatening to release it publicly unless victims paid the ransom demand.
While Maze was the first gang to practice that tactic in late 2019 - and used it in 99% of cases as the gang has shifted its focus to smaller targets - it's been exfiltrating less data, Coveware reports.
Other gangs that have been using this tactic in recent months include Sodinokibi, DopplePaymer, Mespinoza, Netwalker, CLoP, Nephilim and Sekhmet (see: More Ransomware Gangs Join Data-Leaking Cult).
Coveware CEO Bill Siegel tells Information Security Media Group that it's still not clear if stealing and threatening to dump data gives attackers any edge. "It is inconclusive right now if it leads to more frequent payments," he says. "I do not think it leads to higher payments though."
In rankings that remain unchanged from the fourth quarter of 2019, Sodinokibi, aka REevil, was the most common type of ransomware tied to successful attacks among Coveware's clients. The ransomware-as-a-service operation provides customized versions of crypto-locking code to each affiliate, keyed to a unique ID. Whenever a victim pays, the affiliate gets a 60% cut, rising to 70% after a few successful payments get received, while the operators pocket the rest (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).
The next most prevalent strains of ransomware seen in the first quarter were Ryuk and Phobos. But toward the end of that period, the prevalence of Ryuk - and other variants of Hermes ransomware - notably decreased, Coveware says, noting that "the reason for this change is not currently understood."
In the first quarter, Coveware found that ransoms tied to Phobos remained broadly consistent, while attackers wielding Ryuk began to demand greater ransom amounts - both initially and in their final-offer demands - despite hitting, on average, smaller companies.
Sodinokibi affiliates, meanwhile, continued to tailor their demands to the size of targets, and they hit both very large and very small organizations. "A single large organization may have a $1 million ransom demand," Coveware says. "Other times, Sodinokibi targeted a managed service provider's clients and tried to extort each individual end client for $5,000 to $10,000."
Security experts say different Sodinokibi affiliates have different skill levels and specialties, such as hacking MSPs to try and obtain access to all of the endpoints they manage (see: Texas Ransomware Responders Urge Remote Access Lockdown).
Some Sodinokibi affiliates have also been actively scanning for vulnerable VPN installations. In an April 1 alert, the FBI warned that Sodinokibi affiliates had been running mass port scans to identify Pulse Secure VPN servers that remained unpatched for CVE-2019-11510, for which patches were released in May 2019. Attackers have been exploiting the vulnerability to infect systems with ransomware.
Most Common Ransomware by Market Share
- Sodinokibi: 26.7%
- Ryuk: 19.6%
- Phobos: 7.8%
- Dharma: 7.8%
- Mamba: 4.8%
- GlobeImposter: 4.4%
- Snatch: 2.6%
- IEncrypt: 2.2%
- 777: 2.2%
- MedusaLocker: 2.2%
Some of these strains have been tied to advanced attacks (see: 10 Ransomware Strains Being Used in Advanced Attacks).
But the majority of attacks seen by Coveware targeted small and midsize businesses, including such types of professional service firms as law firms, IT managed service providers and certified public accountants.
More Mamba, Less Decryption
During the first three months of this year, Mamba ransomware became more prevelant. "Mamba ransomware involves the combination of a boot-locker program and full-disk encryption via commercial software," Coveware says. "The bootloader screen is used as a ransom note. Decrypting the full-disk encryption requires passwords that only the threat actor holds."
On the upside, for victims who pay a ransom, Mamba has historically provided nearly 100% restoration reliability, Coveware reports. In the first three months of this year, looking at all strains of ransomware, organizations that paid a ransom recovered, on average, 96% of their crypto-locked data, down slightly from previous months, it says.
Due in part to shoddy coding and poorly implemented encryption, some strains of ransomware are more likely to leave data corrupted even if victims pay for and use a decryption tool.
"Specifically, variants like Mesponinoza, DeathHiddenTear, and Buran caused data loss upon encryption and also delivered decryption tools with bugs that lead to additional data loss," Coveware says. "The variability of average data recovery rates varied dramatically between variants. Some ransomware variants had predictable recovery rates, close to 100%, while others were as low as 40%."
Top Attack Vector: RDP
How are attackers accessing organizations to infect them with crypto-locking malware?
"Poorly secured remote desktop protocol access points continued to be the most common attack vector," Coveware says. Stolen or brute-forced credentials can be obtained on various cybercrime forums for as little as $20 each (see: Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits).
"Combined with cheap ransomware kits, the costs to carry out attacks on machines with open RDP were too economically lucrative for criminals to resist. Until the economics of carrying out ransomware balance - by either bringing the monetization success rates down or by making attacks prohibitively expensive - ransomware and cyber extortion will continue to gain prevalence."
Even relatively unskilled attackers - for example, those who wield Phobos, an extremely common RaaS offering that anyone can pay to use - have been tapping stolen RDP credentials to access networks.
"On the other end of the spectrum, Ryuk ransomware typically relies on integrations with sophisticated spear phishing and banking Trojan integrations, such as TrickBot and Emotet, that enter organizations via a subtle and strategic attack vector," Coveware notes (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').
Hospitals Still Under Fire
As the COVID-19 pandemic continues, some ransomware operators pledged to not target healthcare organizations or to provide them with free decryptors if they got hit. With Coveware reporting that the average downtime following any successful ransomware infection is 15 days, however, even if attackers honored those promises, they were still causing dangerous disruptions, as well as continuing to target supply chains.
In recent months, attackers wielding multiple ransomware variants - "including Ryuk, DoppelPaymer and Defray777" - have also continued to actively target hospitals (see: No COVID-19 Respite: Ransomware Keeps Pummeling Healthcare).
Law enforcement agencies and security experts continue to recommend that all organizations put in place the right defenses, including well-tested backup and recovery systems, to ensure that they never have to pay a ransom. Even so, ransomware-wielding attackers continue to accumulate a massive number of new victims.