The ever industrious and forward-looking groups behind the majority of ransomware attacks essentially reinvented the business during the first quarter of 2020 developing new tools and methods that helped boost their success rate.
The advent of the COVID-19 pandemic certainly helped these cybercriminals by giving them additional avenues to pursue but the new strategies would likely have been implemented even if coronavirus did not exist. The immediate result was a 33 percent increase in the average ransom payment, primarily driven by a few very large payments, according to Coveware’s latest report.
The average ransom payment was $111,605 for the first quarter, although the median payment remained somewhat stable increase only about $3,000 to $44,021 during this period. For a historical perspective, ransom payments averaged under $10,000 during the third quarter of 2018.
The top three most used ransomware variants were Sodinokibi, used 26.7 percent of the time; Ryuk, used in 19.6 percent of attacks; and Phobos and Dharma were tied for third being used 7.8 percent each. Coveware noted that Ryuk usage was dropping near the end of the quarter, although analysts were not sure why.
Tactically, the most important change was the addition of an extortion aspect to some attacks. Maze, Dopplepaymer and Sodinokibi all began taking content prior to encrypting a system and holding it hostage threatening to post it unless the target paid up. This practice was practically unknown before the start of the year.
“Coveware expects data exfiltration threats to increase in 2020 as more threat actor groups try to raise conversion rates on their attacks. Some groups created public ‘news’,” the report said.
Each of the ransomware types were used to target different size entities. Ryuk, on average, was used against large organizations of 1,000 or more workers, while Sodinokibi targeted more medium size firms with about 370 people, and Phobos was a small business weapon hitting companies averaging 81 people. With that noted it is no surprise that Ryuk by far garners the largest ransom payouts averaging $1.4 million each, compared to $327,931 for Sodinokibi and $15,761 for Phobos.
The most common attack vector were poorly secured Remote Desktop Protocol (RDP) access points, used about 60 percent of the time, due to the fact that RDP credentials can be bought for as little as $20 on the dark web and then combined with a cheap ransomware kit. Email phishing attacks were the next most used at about 30 percent.
Small and medium sized professional service firms such as law firms, IT managed service providers and CPA firms continued to be the largest industry subset targeted with healthcare and the public sector rounding out the top three most targets.
The onset of COVID-19 and the associated shut down of schools did give ransomware gangs one out of season opportunity.
Normally, education is targeted during the summer when the threat of not being able to open in time for the fall semester can be a driving force behind paying a ransom in order to regain control of a network. With schools across the country shutting down in March there was a huge shift toward attacking these institutions with 50 percent of all attacks hitting this segment during the first quarter.
The only good news, if it can be described as such, is that Coveware found that when a ransom is paid 99 percent of the time the attackers do follow through and deliver a decryption tool and in 96 percent of the cases the tool worked.
However, there were exceptions. Variants like Mesponinoza, DeathHiddenTear, and Buran caused data loss upon encryption and also delivered decryption tools with bugs that lead to additional data loss, the report stated.