Ransomware: The cost of rescuing your files is going up as attackers get more sophisticated

The average ransom demand is up to almost $13,000, compared with $6,700 just a few months ago.
Written by Danny Palmer, Senior Writer

The average ransom demand by hackers to release files encrypted by their ransomware attacks has almost doubled in 2019.

Figures drawn from cases handled by cybersecurity company Coveware show that the average ransom organisations paid per incident during the first quarter of this year stands at $12,762, compared to $6,733 in the final quarter of 2018.

The sharp increase in ransom payments is linked to the emergence of more expensive and more hands-on forms of ransomware like Ryuk, Bitpaymer and Dharma.

While ransomware attacks of the past generally relied on spamming out large numbers of phishing emails in the hope of getting a few hits, now cyber-criminal groups are taking a more focused approach with attacks.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free TechRepublic PDF)

They'll exploit vulnerabilities in remote desktop protocols or abuse-stolen credentials to gain access to systems, moving around networks and laying the groundwork for their ransomware to encrypt as many PCs as possible for the maximum impact.

In some cases, these ransomware attacks can command ransom payments of six figure sums – which attackers demand in cryptocurrencies like Bitcoin.

The largest ransom demands are associated with Ryuk ransomware, which targets large organisations with a low tolerance for downtime – Coveware's figures suggest the average payment in Ryuk attacks is $286,557.

In all cases of ransomware, Coveware's Ransomware Marketplace Report says that the average number of days a ransomware incident lasts amounts to just over a week at 7.3 days, up from 6.2 days in 2018.

This increase in the amount of time it takes to deal with a ransomware attack is the result of a higher share of ransomware variants – such as Ryuk – employing encryption techniques which make it more difficult to decrypt.

While the authorities generally don't recommend that victims of ransomware attacks pay the ransom demand – it funds criminal activity and there is no guarantee it will work anyway – in some cases, organisations feel as if they don't have a choice.

Figures suggest that 96 percent of the time, paying the ransom results in the victim receiving the decryption tool, with around 93 percent of data recovered. However, the data recovered depends on the type of ransomware: Ryuk has a relatively low data recovery rate of 80 percent, while GandCrab – one of the most common forms of ransomware – is close to 100 percent.

Often, it isn't in the interests of cyber criminals looking to make money from ransomware to not fulfil their end of the illicit bargain and refuse to return data.

"Our perception is that most ransomware distributors are economically rational and run their operations like businesses that care about their reputation," Bill Siegel, CEO and co-founder of Coveware, told ZDNet.

"If word gets out that their type of ransomware or attacks with their signature do not provide the decryption tool/key after paying, future victims would find out, and not pay. Accordingly, most provide a decryption tool after the victim pays," he added.

However, by giving in and paying the ransom demand, the victim also sends a signal to cyber criminals that they're a soft touch – and they could easily find themselves falling victim to other ransomware or other malware attacks in future.

The bottom line is that ransomware still works, so cyber criminals will continue to deploy it as an easy means of making money.

"As long as there are companies that continue to be lax about the common attack vectors – such as RDP Ports, email phishing –ransomware distributors will continue to use ransomware and other means of cyber extortion to monetise these vulnerabilities," said Siegel.

There are relatively simple steps that organisations can take in an effort to avoid falling victim to ransomware attacks: ensuring that RDP ports can't be accessed by default credentials is one, and ensuring that the company is running security software which can protect against malware dropped in phishing attacks is another.

Ensuring that your organisation has as an established data backup plan is also a must, because if all else fails and critical data is locked as part of a ransomware attack, systems can be restored from a recent backup.


Editorial standards