$41,198 Average Ransomware Payment in Q3 of 2019

Ransomware continues to be one of the greatest cybersecurity threats confronted by healthcare institutions. Attacks have increased as well as ransom demands.

A recent analysis by Coveware, a company providing ransomware remediation and incident response, revealed that there is a 13% increase in the average ransom payment, which stands at $41,198 in Q3 of 2019. This amount is six times the average in December 2018. A lot of companies are paying substantially more. The ransom demand of threat actors that use the Ryuk ransomware in their attacks is usually hundreds of thousands of dollars. From Q2 to Q3 of 2019, Ryuk ransom payments were from $267,742 to $377,026. Attackers usually demand from large enterprises ransom payments that are over 1 million dollars.

Although no industry is without ransomware attacks, particular industries tend to have a higher probability of paying a ransom when attacked. The most attacked sectors by percentage are the:

  • professional services -18.3%
  • public sector – 13.3%
  • healthcare – 12.8%
  • software services – 11.7%
  • retailers – 8.3%

The attacks on MSPs or managed service providers have also increased. These attacks often call for more effort from the attackers, however, the potential returns are huge. A successful campaign on an MSP allows attackers to gain access to client information in their systems. The threat actors that use ransomware variants Sodinokibi and Globelmposter have been focusing attacks on MSPs and big businesses. Big businesses are also frequently attacked with Netwalker, Snatch and Hidden Tear ransomware variants.

Although Coveware did not disclose exactly how many clients have given ransom payments, Coveware CEO Bill Siegel mentioned there were hundreds.

Cybercriminals use different tactics to spread malware, the same goes with ransomware attacks. Coveware’s report indicates a noticeable shift in the conduct of attacks, which have become a lot more advanced. When cybercriminals started using ransomware, the attacks were mostly random and automated. Now, attacks are more focused on businesses using tactics typically involved with nation-state threat actors.

The attacks on the clients of Covewarewere were mostly via

  • stolen RDP credentials (50.6%)
  • phishing (39%)
  • exploitation of software vulnerability (8.1%)

Of course, ransomware developers would want the victims’ files to be recoverable, otherwise, no payments would be given. However, there is no guarantee of file recovery even after a ransom payment. Coveware’s statistics show that 98% of clients who paid ransom got working decryption keys, but data recovery on average was only about 94%.

The attackers that use Rapid and Dharma ransomware variants frequently do not provide viable keys to decrypt files after the ransom is paid. Mr. Dec ransomware’s encryption code is poorly written with decryptors allowing only 30% data recovery.

It is not necessary to pay the ransom in all cases as there are free decryptors available via the No More Ransom project. But the available decryptors do not work on the often-used ransom variants in quarter 3 namely Phobos (19.9%), Sodinokibi (21.1%), and Ryuk (22.2%).

File recovery is also possible using backups. However, in a lot of cases, backups are not updated but corrupted, so it is not possible to recover files. Backups may also be encrypted.