Ransomware extortion demands are growing, and so is the downtime caused by attacks

The exploitation of vulnerabilities in RDP services and other software, combined with threats to leak stolen data, is paying off for ransomware gangs as victims pay up.
Written by Danny Palmer, Senior Writer

The average ransom payment paid by victims of ransomware attacks has risen as cyber criminals exploit vulnerabilities in software and remote desktop protocol (RDP) services as common means of infiltrating networks.

According to analysis by cybersecurity company Coveware's Quarterly Ransomware Report, the average ransom payment in the first three months of this year was $220,298 – up from $154,108 in the final three months of 2020.

One of the reasons the cost of ransom payments has grown so significantly is a rise in activity by some of the most notorious ransom groups, which demand millions of dollars in Bitcoin from victims in exchange for the decryption key.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

This includes the Clop ransomware gang, which Coveware describes as "extremely active" in attacks targeting large victims and demanding very high ransom demands. It ranks at number four in the most common ransomware variants, accounting for 7% of all attacks even though it wasn't in the top 10 at all during the previous quarter.

The most common ransomware is Sodinokibi, which accounts for 14% of attacks, followed by Conti, which is behind 10% of ransomware attacks, and Lockbit, which is the third most common ransomware, with a 7.5% market share. Egregor is the fifth most common ransomware seen in the first quarter of 2020, accounting for 5.3% of attacks.

Other ransomware variants commonly used in attacks at the moment include Avaddon, Ryuk, Darkside, Suncrypt, Netwalker, and Phobos.

One technique that is helping to make ransomware attacks more successful is for cyber criminals to publish data they've stolen while inside the network. The idea is that victims fear the consequences of potentially sensitive information being exposed online – so give in and pay the ransom.

According to analysis by Coveware, 77% of ransomware attacks now involve a threat to leak exfiltrated data – up 10% compared with the final quarter of 2020.

Almost half of ransomware attacks begin with cyber criminals compromising RDP services, either by using stolen credentials, guessing default or common passwords or by exploiting unpatched vulnerabilities. There's also been a rise in software vulnerabilities being exploited as a means of infiltrating networks, particularly when it comes to those in VPN applications.

SEE: Hackers are actively targeting flaws in these VPN devices. Here's what you need to do

All of this has come together to result in an average of 23 days downtime following a ransomware attack – up by two days.

Something that can help organisations successfully recover from a ransomware attack is regularly updating backups of the network – and storing them offline – so if the worst happens, restoring the network is possible without giving in to ransom demands, making the exercise a pointless waste of time for cyber criminals.

But the best way to avoid damage from a ransomware attack is to avoid falling victim to one in the first place. Cybersecurity procedures that can help prevent this include avoiding the use of default usernames and passwords while also securing accounts with multi-factor authentication.

Organisations should also ensure the latest security patches are applied to software across the network, preventing cyber criminals from being able to exploit known vulnerabilities to plant ransomware attacks.


Editorial standards