Ransom Demands Increasing as More Virulent Viruses Emerge

The average ransom paid to cyber criminals nearly doubled to $12,762 per incident in the first quarter of 2019, compared to $6,733 during the fourth quarter of 2018, according to a report released today by Coveware, a cybersecurity firm based in Norwalk, Connecticut that specializes in responding to cyber ransom demands.

Coveware said the heftier ransoms are driven by the increased “market share” of more sophisticated and virulent types of ransomware, such as Ryuk, Bitpaymer and i-encrypt. Ryuk especially has been a headline-grabbing virus since the start of this year, and is suspected in attacks against the Los Angeles Times and Norsk Hydro in recent months.

The viruses are typically planted in networks through targeted attacks on large businesses, said Coveware partner Bill Siegel. Typically the cybercriminals use phishing, which means sending an email that appears legitimate but is designed to trick the user into downloading malware. They may also attack directly through remote desktop protocol, accessing a portal that is poorly secured through “brute force,” meaning trying out thousands of common passwords, or by purchasing credentials on dark market sites. The hackers then survey the network, mapping machines and domain controllers before installing the virus in every directory and computer that it can reach.

The cybercriminals typically wait until the weekend, when fewer users are online, to surveil the system and implant their malware. They follow up with a ransom demand that appears on every infected computer in a readme text file, Siegel said.

The better the bug, the more expensive the ransom. McAfee, in a report written in conjunction with Coveware and released in February, said typically the hackers ask for $145,000 in bitcoin. They accept, on average, $71,000, according to that report.

But Coveware said in the first three months of 2019, the average ransom amount paid to cleanse the Ryuk virus was $286,557. That compares to an average ransom paid of $9,743 for the Dharma virus and $7,995 for GandCrab.

“Ryuk continues its shock and awe campaign with ransom demands that are an order of magnitude larger than its peers,” the Coveware reports says. “Ryuk tends to target much larger organizations that have both the capacity to pay these larger demands, but also a much lower tolerance for downtime.”

Siegel said in an ideal world, no ransom would ever be paid. But Ryuk is a sophisticated virus that can not be decrypted without a decryption key that is available only from the entity that planted the bug.

“The reality that we live with is the way these ransomware attacks are occurring, they are putting these companies in the position of facing catastrophic or existential data losses, or to pay these ransom demands,” Siegel said.

The cost of a virus infection goes far beyond the ransom paid. Coveware’s ransomware incidents lasted an average of 7.3 days in the first quarter and the downtime costs businesses an average of $64,645. That compares to average 6.2 days of downtime in the fourth quarter of 2018.

At least when ransom is paid, a decryption tool is provided 96% of the time. But that doesn’t mean the organization will emerge from the shakedown unscathed.

Siegel said decryption keys tend to be “buggy.” Not all of the data that was locked down by the virus is accessible once it is removed. In fact, only about 80% of the encrypted data is recovered after a Ryuk attack. That compares to close to 100% for GandCrab. On average, ransomware victims recovered 93% of the data that is encrypted during cyberattacks.

While Ryuk is taking aim at large organizations, Siegel said increasingly cybercriminals are attacking small businesses and demanding relatively small ransoms, which is why the average ransom paid was only $12,762. Often, law firms, accounting firms and small health care organizations that “under-invest” in information technology and have no tolerance for data loss are targeted. The ransom may be small, but the criminals know they are more likely to be paid.

Chubb, the New Jersey-based commercial insurance carrier, noted the increasing risk to small and mid-sized businesses (SMEs) in its first quarter InFocus Report.

“Cyber criminals know that SME leaders may mistakenly think that cyber security services are beyond their means, which makes SMEs more vulnerable to an attack,” stated Anthony Dolce, vice president, cyber lead, for Chubb North America financial lines claims. “However, we are living in an age where cyber attacks are constantly evolving and threatening businesses of all sizes, but especially small to mid-size businesses. Therefore, it remains critical for companies to understand this present age and develop strong risk mitigation strategies to lessen the impact of cyber threats.”