Cyber-attackers search enterprise networks millions of times every day to identify a vulnerability that can be exploited and provide access to sensitive company and personnel data. Even more devastating is when that exploit is used to encrypt the organization’s data, rendering it unable to continue business operations. A ransom is often requested in exchange for a key to decrypt the data.
While government agencies tell organizations to not give in to ransom demands, little empirical data is available about the outcomes of these attacks. What are the average ransom amounts, data recovery rates, and attacked industry sectors?
According to ransomware data collected in Coveware’s Q4 Ransomware Marketplace report, the cost for an organization to recover from a ransomware attack doubled from the third to the fourth calendar quarter of 2019. The other major highlight is that about 51 percent of identified ransomware attacks during Q4 2019 were either Sodinokibi or Ryuk variants.
The total cost of a ransomware attack includes the ransom payment (if made), the costs for network remediation, lost revenue and potential reputation damage to the brand. Until recently, ransoms were either paid or unpaid, and those paying hoped to receive a key to unlock their data. More recently, an increase in “pay or it goes public” attacks have occurred. The ransom is becoming more like a blackmail attempt with an understanding that impact to brand image, trust and reputation can have long-lasting effects on an organization that chooses not to pay.
In Q4 of 2019, the average ransom payment increased from $42,000 in the previous quarter to $84,000. While the median ransomware payment in Q4 was $41,000, the doubling of the average reflects diversity of the threat actors that are actively attacking companies. Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout, according to the report. For instance, Ryuk ransom payments reached a new high of $780,000 for impacted enterprises.
When a ransomware victim opts to pay the data captors, there are two metrics the organization will measure to determine the outcome: Was a working decryption tool delivered? Was the tool effective as recovering intact data?
In nearly all examples collected (98 percent), a working decryption tool was delivered upon ransom payment. This outcome did not change over the second half of 2019. Patterns have emerged about certain bad actors defaulting on tool delivery even after a payment has been made. This is important for an organization to consider when determining if a payment is likely to have the desired outcome.
Furthermore, 97 percent of those receiving a decryption tool were able to successfully recover their data. Similar to observations made about decryption tool delivery, more sophisticated attackers tend to utilize encryption tools that are likely to restore data to a similar level of integrity when decrypted.
In Q4 of 2019, the average downtime for an organization impacted by ransomware increased to 16.2 days, from 12.1 days in the previous quarter. The increase in downtime was driven by a higher prevalence of attacks against larger enterprises, who often spend weeks fully remediating and restoring their systems. Established enterprises have more complex networks, and restoring data via backups or decryption takes longer than restoring the network of a small business.
Additionally, certain actors such as Ryuk have evolved their attacks to make them even more pervasive. In Q4, Ryuk actors began using a “Wake-on-LAN” feature to turn on devices within a compromised network that were initially powered off. This greatly magnifies the impact of the attack.
Ransomware is typically detonated during the night or early morning hours when oversight from security admins is limited. Infiltration during off-peak hours means that most machines are not running as the workday is over and most employees are gone. This feature turns their machines back on so that the number of encrypted endpoints is maximized.
Some industries have been hit with ransomware more than others. The size of the data opportunity, potential number of impacted customers or end-users, and the likelihood that a ransom will be paid all factor into the target markets. The top five most-attacked organizations for ransomware in 4Q 2019 were:
These figures paint a tragic picture about the current state of ransomware in enterprise organizations. Attacks are happening more frequently and they’re finding vulnerabilities to exploit. Of greatest concern is that organizations are paying ransoms after assessing the risk to the business.
Improvements in the detection of phishing and account takeover attempts will shore up the first line of defense. Disaster recovery and business continuity plans must also include cyber-attacks, with response plans practiced in a manner similar to efforts made preparing for natural disasters.