Coveware Study Shows Increasing Ransomware Attacks and Ransom Payments


Ransomware attacks increased in the Q2 of 2019, according to Coveware’s new report. Coveware is a ransomware recovery service provider, which helps businesses recover their data in the event of a ransomware attack. The method used to recover their data may be through free remediation or through negotiation with the attackers.

Coveware analyzed anonymized information regarding the ransomware attacks encountered by its clients and observed the 184% increase of ransomware payments during Q2 of 2019. Q1 had an average ransom payment of $12,762, while Quarter 2’s average ransom payment was $36,295.

In Q2 of 2019, attackers most commonly attacked via RDP ports, accounting for 59.1% of ransomware attacks. Coveware also noticed a sharp quarter-over-quarter rise in email-based attacks, accounting for 34.1% of Q2 cases. Attackers exploited software vulnerabilities in 6.8% of attacks. The Sodinokibi ransomware threat actors exploited software vulnerabilities in managed service provider (MSP) backend integrations (Webroot/Kaseya) to access their and their clients’ MSP systems.

Downtime generally follows a ransomware attack no matter if the victims paid the ransom or restored the files from backups. The average downtime duration in Q2 increased from 7.3 days to 9.6 days.

The main reason for this was the increase in MSP attacks. Besides the infection of MSPs, the ransomware spread to the clients’ MSP via the remote link to their clients’ networks. This sort of extensive attacks of course take more time to fix.

Coveware remarks an increase in cyberattacks by affiliates through the ransomware-as-a-service model. A lot of ransomware developers do their own campaigns and communicate immediately with victims. Affiliates seem to be far more disorganized, which could cause difficulties during negotiations and could cause problems when attempting data decryption. That often results in recovery delay. The threat actors responsible for the Ryuk ransomware attacks dispatched a workable decryptor within 3 hours of the ransom payment, and the Sodinokibi attackers in the same way provided decryptors immediately.

Businesses don’t want to pay ransom, but they have no choice. If there are no backups or data is not recoverable, then paying the ransom is the only solution to avoid major data loss.

The recovery cost of a ransomware attack has two components. The first deals with the costs of mitigating the attack. It includes the fees for forensic analysis, restoring servers and workstations, getting rid of the ransomware, and recovering files. Paying the ransom is sort of a mitigation cost as well. The highest ransom payments demanded were for the Ryuk ransomware attacks, which cost $267,742.

The mitigation costs including the ransom payment form only a portion of the total recovery cost. The major cost is downtime. When systems are down, work productivity falls considerably, and the business loses potentials of income. Coveware’s statistics show losses that are 5 to 10 times the ransom payment amount because of downtime.

A fast recovery will lower the costs, but ransom payment does not ensure the recovery of files. Of all the clients that gave ransom payments, 96% were successful in decrypting data and 4% could not recover the data.

Even if the decryptor is legit, some data would likely be lost. This occurs with a flawed encryption process and some files were only partly encrypted and corrupted. Sometimes, files are wiped out either during the encryption process or the recovery process. It is typical to have 8% file loss during decryption; with the Ryuk ransomware attack, there was 13% file loss. Sodinokibi is a more slick ransomware variant as it’s possible to have 100% file recovery rate.

The frequency of using ransomware variants are as follows:

  • Ryuk ransomware – 23.9% of attacks
  • Phobos – 17% of attacks
  • Dharma – 13.6% of attacks
  • Sodinokibi – 12.5% of attacks

Attackers using the Ryuk ransomware mostly target medium to large organizations having 3,187 employees on average. Sodinokibi ransomware attacks mostly target small MSPs, having 79 employees on average.

There’s an increase in attacks on large organizations. In Q1, companies experiencing breaches had 141 employees on average. The average went up to 925 employees in quarter 2.