Average Enterprise Ransomware Payments Surge 33% in First Quarter

The average payment to ransomware operators increased in the Q1 2020, according to a new Coveware report. The COVID-19 pandemic and the troubling economic times are making their mark on ransomware attacks, leaving companies more willing pay. 

Ransomware remains a plague on the enterprise sector, with attackers using a wide variety of vectors to compromise different industries. There are no new significant players when it comes to ransomware, but two interesting trends are slowly developing. 

Firstly, some attackers have refused to attack healthcare institutions in light of the COVID-19 outbreak, while others had no compunction in this regard. Secondly, attackers are now resorting to blackmail by exfiltrating files during attacks. If a company decides not to pay, leaked data is used to coerce them.

Ransomware payments are on the rise 

One of the most significant metrics identified by Coverware is a 33% increase in the average enterprise ransom payment increased, up to $111,605, in comparison with Q4 2019. Not surprisingly, most payments made are not big ones, with the median ransom payment remaining around $44,021. 

The most common types of ransomware also remained the same, with Sodinokibi (26.7%), Ryuk (19.6%) and Phobos (7.8%) holding steady, with only a caveat. 

“The 3 most common ransomware types remained the same between Q4 2019 and Q1 2020” states the Coveware report. “Towards the end of Q1 the prevalence of Ryuk and other Hermes variants began to dissipate. The reason for this change is not currently understood. However, the change in prevalence was preceded by observable changes in threat actor behavior.”

As for the targets themselves, small and medium-sized professional service companies such as law firms and IT managed service providers remain the industry hit the most, suffering 18.1% of all attacks. Healthcare is in second place, with 13.8%, and the public sector with 12%.

More worrying statistics

This takes us to one of the more problematic statistics -- the payment success rate, which rose slightly to 99%. But such numbers need to be looked up in context, and it doesn’t mean that companies will get access to their data in 99% of the cases.

“Coveware actively tracks threat actor groups that have a high likelihood of defaulting and those that more reliable. We often advises companies NOT to pay because of the risk of payment default,” the report also states.  “Every threat actor has their own risk profile.  When no payment is made, no default has the opportunity to occur. This likely makes our Payment Success Rate higher than if we were able to accurately measure success rates across every victim of ransomware.” 

As for data exfiltration, it took place in 8.7% of all cases recorded by the company in Q1 2020, a tactic employed by Maze, Sodinokibi, DopplePaymer and a few others.