Despite knowing better, many organizations cave into attackers’ demands, paying ransomware operators whatever they ask for in exchange for the decryption keys to their locked data.
Studies show the business sector is maturing in terms of cyber-resilience, but organizations with weak cybersecurity sometimes prefer to pay up when hit by ransomware. High-profile examples include the healthcare industry, professional services, and the financial sector. According to new research by Coveware, players in these verticals tend to under-invest in IT security and have weak or no backup policies. At the same time, they have almost zero tolerance for data loss (data being the lifeblood of the business) so they end up paying ransomware operators following a breach.
However, playing into the hackers’ game also creates a vicious circle. Firstly, paying the ransom encourages adversaries to strike again. Second, an organization like a healthcare facility may have to close its doors until it recovers critical scheduling and patient EMR servers, leading to disruption and lost business – not to mention risk to lives. And, as others have shown, the cost of downtime can devastate businesses.
The Coveware report underscores several other interesting findings regarding the ransoms. In the fourth quarter of 2018, the average ransom increased by 13% from the previous quarter ($5,973), reaching $6,733. Researchers suspect the increase reflects the more targeted nature of recent ransomware attacks. From the report:
“In Q4, ransomware distributors focused on larger targets and via bespoke RDP & social engineering attack vectors. Higher priced ransomware strains like SamSam and Ryuk also increased in frequency during Q4, despite the ubiquity of Dharma, GandCrab and Globelmposter.”
Ransomware incidents last an average of 6.2 days, while the average cost related to downtime is around $55,000, according to the research. Notably, average downtime increased by 47% over Q3, a direct consequence of attacks where backup systems were wiped or encrypted. And 75% of organizations that paid a ransom had their backups compromised.
In the bad actors’ camp, the most preferred ransom currency remains Bitcoin, demanded by 95% of attackers, but privacy-focused coins like Dash are picking up steam in recent attacks. The top attack vector remains Remote Desktop Protocol (RDP), followed by phishing and various forms of social engineering.
“Remote Desktop Protocol (RDP) based breaches were AGAIN the most prevalent ransomware attack vector in Q4. Accordingly, ransomware distributors are spending increased time inside of breached networks. Admin credentials are harvested so backups can be wiped or encrypted, ensuring the attack has maximum impact. We expect this attack vector to remain popular until the number of vulnerable targets shrinks,” researchers said.
On the good side, 70% of organizations that paid to get their data back following a ransomware attack intend to increase their security spending to prevent future incidents. This finding is reflected in several other studies, including a recent survey by eSecurity Planet that paints “fear of data breaches” as the key driver behind increased cybersecurity budgets in 2019.