The average ransom payment paid by victims of ransomware attacks has risen as cyber criminals exploit vulnerabilities in software and remote desktop protocol (RDP) services as common means of infiltrating networks.
According to analysis by cybersecurity company Coveware's Quarterly Ransomware Report, the average ransom payment in the first three months of this year was $220,298 – up from $154,108 in the final three months of 2020.
One of the reasons the cost of ransom payments has grown so significantly is a rise in activity by some of the most notorious ransom groups, which demand millions of dollars in Bitcoin from victims in exchange for the decryption key.
This includes the Clop ransomware gang, which Coveware describes as "extremely active" in attacks targeting large victims and demanding very high ransom demands. It ranks at number four in the most common ransomware variants, accounting for 7% of all attacks even though it wasn't in the top 10 at all during the previous quarter.
The most common ransomware is Sodinokibi, which accounts for 14% of attacks, followed by Conti, which is behind 10% of ransomware attacks, and Lockbit, which is the third most common ransomware, with a 7.5% market share. Egregor is the fifth most common ransomware seen in the first quarter of 2020, accounting for 5.3% of attacks.
One technique that is helping to make ransomware attacks more successful is for cyber criminals to publish data they've stolen while inside the network. The idea is that victims fear the consequences of potentially sensitive information being exposed online – so give in and pay the ransom.
According to analysis by Coveware, 77% of ransomware attacks now involve a threat to leak exfiltrated data – up 10% compared with the final quarter of 2020.
Almost half of ransomware attacks begin with cyber criminals compromising RDP services, either by using stolen credentials, guessing default or common passwords or by exploiting unpatched vulnerabilities. There's also been a rise in software vulnerabilities being exploited as a means of infiltrating networks, particularly when it comes to those in VPN applications.
All of this has come together to result in an average of 23 days downtime following a ransomware attack – up by two days.
Something that can help organisations successfully recover from a ransomware attack is regularly updating backups of the network – and storing them offline – so if the worst happens, restoring the network is possible without giving in to ransom demands, making the exercise a pointless waste of time for cyber criminals.
But the best way to avoid damage from a ransomware attack is to avoid falling victim to one in the first place. Cybersecurity procedures that can help prevent this include avoiding the use of default usernames and passwords while also securing accounts with multi-factor authentication.
Organisations should also ensure the latest security patches are applied to software across the network, preventing cyber criminals from being able to exploit known vulnerabilities to plant ransomware attacks.
MORE ON CYBERSECURITY
- This company was hit by ransomware. Here's what they did next, and why they didn't pay up
- How to protect your organization's remote endpoints against ransomware
- Ransomware is growing at an alarming rate, warns GCHQ chief
- FBI and European law enforcement shut down VPN used by ransomware groups
- Ransomware: A company paid millions to get their data back, but forgot to do one thing. So the hackers came back again