Average Ransom Payment Rises 60 Percent in Three Months, Study Finds

Companies continue to pay ransomware demands, and the latest data reveals a 60 percent increase in the average ransom payment in just three months.

Some very large companies like Cannon and Garmin have fallen prey to ransomware in the past few months. Threat actors adjusted their techniques to include data theft and blackmail, threatening the affected organizations to release stolen information.

It's a mistake to believe that only big companies are affected by ransomware. In fact, it's just the opposite, as many people have started to work from home, with a 41% increase in remote desktop protocol (RDP) sessions. This alone has opened the door for bad actors and enlarged the attack surface.

According to Coveware, the average ransom payment for Q2 2020 was $178,254, 60 more than Q1's $111,605 average. The profile of the attackers remains pretty much the same, with a few key differences.

"Prior to big game tactics, the ransomware sphere was dominated by opportunistic spray-and-pray threat actors who rarely exercised victim profiling and issued nominal demands that remained constant whether the victim was a 10-person company or a 1,000 person enterprise," says the study.

The most significant difference, the exfiltration of data, is becoming more common. It also means that threat actors spend a lot of time inside the compromised infrastructure and doubles up the ransomware incident with a data breach.

The study also shows a much more evenly distributed market share of the ransomware variants. While Sodinokibi (REvil) is the biggest player, with a 15.4 percent market share, Maze, Phobos and Netwalker hover around 7 percent.

Data recovery remains a problem, with security experts and police advising against paying ransom. In many cases, companies choose to pay to get back to business quickly, but payments do not guarantee recovery. In the past few months, the recovery process failed due to flawed decryption tools on more than one occasion.

"Payment defaults remain rare and occurred just 2% of the time, though some variants had a much higher default rate than others,” the study adds. “The efficacy of the decryption tools also varies widely across variants. While a victim's data files may be recovered, we are increasingly seeing corruption of operating systems, and permission registries. Rebuilding machines and permissions policies often adds substantial downtime costs.”

Finally, the average downtime after an attack is up 7 percent from Q1 2020. While this might be true for small and medium businesses, large organizations could remain crippled for weeks or months before resuming normal operations.