zephyr_p - stock.adobe.com

Research finds ransomware payments, demands increasing

Research from incident response vendor Coveware and national law firm BakerHostetler show massive increases in both ransomware demands and payments from victims.

Threat actors are demanding increasingly larger sums of money from ransomware victims, according to new research.

Two recent reports from incident response company Coveware and Cleveland-based law firm BakerHostetler, show a significant increase in ransomware payments from the end of last year which continued in the first quarter of 2020.

In Coveware's report, the vendor found that in the first quarter of 2020, the average enterprise ransom payment increased to $111, 605, up 33% from the end of last year. The report is based on victim demographics and resolutions metrics based on actual ransomware cases handled by the Coveware Incident Response team.

According to the report, ransomware distributors increasingly targeted large enterprises and were successful in forcing ransom payments for the safe recovery of data. "Large enterprise ransom payments are the minority by volume, but the size of the payments dramatically pulled up the average ransom payments," Coveware wrote in the report.

BakerHostetler's sixth annual Data Security Incident Response Report also shows an uptick in both demands and payments, stating the average ransom paid increased by a factor of 10 to $302,539; the highest ransom demand the law firm saw last year was $18.8 million. The report contains response metrics and related insights from more than 950 incidents the firm helped clients manage in 2019.

Although the report is based on 2019 data, the trends -- including an increase in ransom payments -- have continued into 2020, said Craig Hoffman, leader of BakerHostetler's digital risk advisory and cybersecurity team. One trend in particular will only get worse as the year progresses.

"We mentioned there's a group [Maze] that started at the end of 2019 that would steal data before they encrypted it in order to make a more impactful demand. More groups have started doing it because they saw how successful it was for the first group and I think that's only going to increase this year," Hoffman said.

Other ransomware trends

The two reports contained additional findings that were troubling. For example, Coveware also found the ransomware payment success rate had rose to 99%, though the vendor added a small caveat to the data.

"Our success rate is likely not representative of the universe of attacks. We have the ability to screen out less reputable actors and advise clients to avoid them," Coveware CEO Bill Siegel said.

Though the Coveware report shows poorly secured remote desktop protocol (RDP) access points as the most common attack vector for ransomware attacks, managed service providers are also susceptible. "MSPs are being targeted by multiple threat actor groups now, not just Sodinokibi," Siegel said.

BakerHostetler reported that 96% of clients received decryption keys after paying the ransom, while 97% of the payments were made by a third party, such as a law firm or incident response provider, on behalf of the victim organization. Once a threat actor is successful with an attack, enterprises may engage in negotiations with threat actors in order to make a lower payment than the original demand, Hoffman said, and the longer a company can hold off paying, the lower the payment ends up being.

"Payment negotiations depend on a couple of factors, primarily how fast do you need your system back because you don't have any other option," Hoffman said. If your computers are down, backups are gone or you didn't have them and you're losing money immediately, you need to pay that day and when you need to pay same day maybe you get a 10% discount or you're paying 100% [of the ransom demand]. If you can wait a few days and negotiate you can get 10% to 50% discount. If you can wait a couple of weeks or only need a few things back, you can get even more of a discount."

Unfortunately, Hoffman said, attackers typically know who they've encrypted and how damaging downtime will be, which adds difficulty to negotiations. "The negotiating strategy is really about time. On the company side, you're trying to convince the attackers it's not as dire as they think it is."

Dig Deeper on Threats and vulnerabilities