The average ransom payment paid out by victims increased 13 percent, to $41,000, during the last three months, but researchers noted the rate of increase has plateaued.
Researchers at Coveware credited the victims with being better prepared to restore their data on their own negating the need to pay the ransom. However, that was not enough to offset malicious actors using Sodinokibi and Globelmposter variants to go after big-game targets, like managed service providers and large enterprises, that potentially offer massive payouts.
And in many cases the payouts were excessive with Coveware noting that daily ransom payment amounts surpassed $100,000 on many occasions during the third quarter. The ransom amount peaked in mid-August at more than $150,000 and then dropped averaging well under $50,000 for the remainder of that month and September.
One of the primary reasons for not paying a ransom is that there is no guarantee the attacker will deliver an effective decryptor key. However, Coveware found that line of thought to be incorrect with 98 percent of those who paid the ransom receiving a good key that restored at least 94 percent of their data. There was one caveat with this data point, the threat actors behind Rapid and Dharma ransomware are known to default and not deliver a key after payment is made.
The amount of down time an organization suffered due to an attack also increased averaging 12.1 days, up from 9.6 days during the previous quarter.
“The increase in downtime was primarily driven by the increased number of successful attacks against larger enterprises. Larger enterprises have more complex networks and restoring data via backups or decryption takes longer than restoring the network of a small business,” Coveware reported.
During the third quarter the well-established Ryuk, Sodinokibi and Phobos were the three most common ransomware types in use but a new crop of malware, Snatch, Estemani, Hidden Tear and Netwalker, were being pushed.
Threat actors also focused on the public sector during this time with 13 percent of all attacks hitting these targets, up from three percent during the second quarter.
“No other sector experienced a change of such magnitude, and the attention that both federal and state lawmakers are paying to the problem is warranted. Until these organizations are able to right-size their IT security budgets and IT headcount, these attacks will certainly continue,” Coveware wrote.