A new report into the state of ransomware at the tail end of 2019 has revealed that things aren't getting any better. In Q4 of 2019, according to the new study published by security firm Coveware, the average ransom payment more than doubled – reaching $84,116, up from $41,198 in Q3 of 2019. Coveware's report says that this reflects how some ransomware variants – such as Ryuk and Sodinokibi – are increasingly being used to target large enterprise victims in an attempt to extort ever larger amounts of money. For instance, Ryuk ransom payments have reached a staggering new high of $780,000 for enterprise victims. Meanwhile, Coveware's report details how ransomware-as-a-service variants such as Dharma, Snatch, and Netwalker are hitting a large number of small businesses but with ransom demands as low as $1,500. No-one likes to pay the criminals who have compromised their network and encrypted their files, of course. Regardless of the rights and wrongs of paying a ransom demand, some infected organizations do feel it is the most pragmatic course of action to ensure business continuity – especially if they discover recovery from backups isn't as straightforward as they imagined. The comforting news for such businesses is that, in Q4 of 2019, 98% of companies that paid the ransom appear to have received a working decryption tool – although the figure can vary depending on what specific ransomware gang has infected a business's systems. In short, it's always worth researching a ransomware variants and its associated hacking group before ever contemplating paying a ransom. But for those companies who do pay their extortionists for a decryption tool, it appears some 97% of encrypted data is successfully encrypted. What is less good news for those businesses hit by ransomware, however, is that the average downtime increased for 12.1 days in Q3 of 2019 to 16.2 days in Q4. Again, according to Coveware, this reflects an increased number of attacks on larger companies with more complex infrastructure:
The increase in downtime was driven by a higher prevalence of attacks against larger enterprises, who often spend weeks fully remediating and restoring their systems. Established enterprises have more complex networks, and restoring data via backups or decryption takes longer than restoring the network of a small business.
One development which has compounded the problem is that ransomware is evolving and using new techniques to magnify the power of their attacks. For instance, Ryuk recently began using "Wake-on-LAN" functionality to power up devices on an infected network if they were initially turned off. The more computers that are turned on, the more that can be encrypted in a ransomware attack. If one thing is clear from Coveware's report it's this: anyone telling you that ransomware is yesterday's threat is deeply mistaken. Ransomware continues to successfully impact many organizations, knocking out some businesses for weeks on end, and even – in some cases – leading them to shut up shop permanently.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.