Ransomware Payments Surge 33% as Attacks Target Remote Access

Written by

The average sum paid by enterprises to ransomware attackers surged by 33% quarter-on-quarter in the first three months of the year, as victim organizations struggled to mitigate remote working threats, according to Coveware.

The security vendor analyzed ransomware cases handled by its own incident response team during the period to compile its latest findings.

It revealed the average enterprise ransomware payment rose to over $111,000 in the quarter, although the median remained at around $44,000, reflecting the fact that most demands from online attackers are more modest.

Sodinokibi (27%), Ryuk (20%) and Phobos (8%) remained the top three most common variants in Q1 2020, although prevalence of Mamba ransomware, which features a boot-locker program and full disk encryption via commercial software, increased significantly.

Poorly secured RDP endpoints continued to be the number one vector for attacks, more popular than phishing emails or exploitation of software vulnerabilities.

“RDP credentials to an enterprise IP address can be purchased for as little as $20 on dark marketplaces. Combined with cheap ransomware kits, the costs to carry out attacks on machines with open RDP were too economically lucrative for criminals to resist,” said Coveware.

“Until the economics of carrying out ransomware balance (by either bringing the monetization success rates down or by making attacks prohibitively expensive) ransomware and cyber extortion will continue to gain prevalence.”

Interestingly, only 8.7% of cases investigated by the vendor involved data exfiltration, although it became much more popular during the quarter. Maze, Sodinokibi, DopplePaymer, Mespinoza, Netwalker, CLoP, and Nephilim were all highlighted as likely to steal data.

Coveware also pointed out that, although the trend of “big game hunting” has been widely publicized, ransomware is more likely to affect smaller firms. The average number of employees in ransomware victims was 625 in Q1, with the median a much smaller 62.

On average, victim organizations suffered 15 days of downtime.

What’s hot on Infosecurity Magazine?