Average Ransom Payment Has Increased by 104% in Q4 2019

  • Ransomware families that belong to Ryuk and Sodinokibi are responsible for the huge rise in the ransom payments.
  • In Q4 of 2019, 98% of companies had received a working decryptor tool for the ransom paid.

With the increase in ransomware attacks, the average ransom payment has risen to 104% in the fourth quarter of 2019. A report from Coveware reveals that the ransomware attackers had collected an average of around $84,000 from victim organizations in the Q4 of 2019 when compared to $41,198 in Q3 of 2019.

Rise of infamous ransomware families

Ransomware families that belong to Ryuk and Sodinokibi are responsible for the huge rise in the ransom payments. These ransomware operators have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout.

For instance, Ryuk ransom payments have reached a new high of $780,000 for impacted enterprises. On the other hand, smaller ransomware-as-a service variants such as Dharma, Snatch and Netwalker continue to attack small businesses with demands as low as $1500.

Percentage of data recovered after paying a ransom

There are two success metrics to determine the outcome after a ransomware victim is forced to pay a ransom.

  • First, does the payment result in a working decryption tool being delivered? If the threat actor did not deliver the tool, then the data recovery rate stands at 0%.
  • Second, if a working decryption tool is delivered then how effective is it in decrypting the data? Files and servers can be damaged during or after the encryption process and this can affect data recovery rates when a decryptor tool is delivered.

How successful were the companies in the recovery process?

Coveware’s report highlights that in Q4 of 2019, 98% of companies had received a working decryptor tool for the ransom paid. However, this varies for types of ransomware and threat actor groups. For instance, certain threat actor groups associated with Phobos, Rapid and Mr. Dec ransomware consistently failed to give the decryption tool even after being paid.

In Q4 2019, victims who paid for a decryptor successfully decrypted 97% of their encrypted data, which is a slight increase from Q3.

How much downtime does a ransomware attack cause?

In Q4 of 2019, average downtime increased to 16.2 days from 12.1 days in Q3 of 2019. This increase in downtime indicates a higher prevalence of attacks against larger enterprises. Such enterprises have more complex networks, and restoring data via backups or decryption takes longer than restoring the network of a small business.

Additionally, researchers have noted that certain actors such as Ryuk have evolved their attacks to make them even more pervasive. This also greatly magnifies the impact of the attack on organizations.

Prominent attack vectors

The mass availability of Remote Desktop Protocol (RDP) credentials for as little as $30 per IP address was widely used by attackers to launch targeted ransomware attacks. This extremely cost-effective technique accounted for 57.4% of all attack vectors used to distribute ransomware.

Apart from this, email phishing made up to 26.3% of the most common ransomware attack vectors in the Q4 of 2019.

Bottom line

Interestingly, some ransomware variants such as Maze have publicly announced that they will attack organizations where a disruption to patient care may cause the loss of life. However, this does not decrease the count of ransomware attacks. Organizations in the public sector and professional services firms still make up the largest segment for ransomware attacks.