From massive increases in ransom amounts to big shifts in attack models, these statistics reveal the major new trends in ransomware.
In 2019, ransomware completely evolved. Mass distribution campaigns designed to to indiscriminately infect home users are out. Targeted campaigns aimed at taking down mid- to large-sized organizations are in. As a result, according to several sources, the overall number of infections dropped in 2019. But the infections we did see were more sophisticated, more disruptive, and far more lucrative for the criminals behind the operations.
What's driving this trend? The following stats tell the story.
The rise of "big game hunting"
At the center of ransomware's evolution in 2019 was a major shift away from high-volume, low-return campaigns (think mass spam and exploit kit campaigns) in favor of low-volume, high-return attacks specifically targeting businesses and organizations that a) have the funds/insurance coverage necessary to pay large ransom demands; and b) are especially sensitive to downtime (and therefore more likely to pay).
The security company CrowdStrike dubbed this approach "big game hunting" and it's a model being proliferated by two of the largest and most lucrative ransomware operations currently active.
Sodinokibi (REvil) and Ryuk dominate
The chart above tracks the shifting "market share" of the most active ransomware operations based on infections reported to ransomware incident response specialists Coveware.
It's a clear illustration of the rise of Ryuk and Sodinokibi (also referred to as REvil). Together, those two operations accounted for half of the infections Coveware saw in Q4 2019.
But it also illustrates the broader shift away from highly commoditized ransomware operations with low barriers to entry (see Dharma and its successor, Phobos, which primarily target exposed/compromised RDP accounts) and the consolidation of ransomware activity with a smaller group of more sophisticated actors.
Whereas Dharma, Phobos, and other operations cater to lowest-common-denominator cyber criminals looking for ransomware they can easily deploy and be as hands-off with as possible, the criminals behind Ryuk and Sodinokibi are a more exclusive group. They don't license their ransomware out to just anyone, and they take a more manual approach that requires more expertise. Rather than simply drop an executable and run, these attackers make sure the stage is set for a more significant impact by leveraging reconnaissance, privilege escalation, and lateral movement techniques to entrench themselves throughout victim networks first. In addition, they also take the time to disable security tools and backups, only then executing the ransomware to devastating effect.
This pattern is one of the factors that resulted in CrowdStrike reporting an increase in average dwell time (the period between initial compromise and detection) in 2019. According to their Cyber Front Lines Report, attackers typically spent up to 60 days in victim environments before executing ransomware payloads.
This strategy has allowed Ryuk and Sodinokibi actors to successfully extort massive amounts of money from victim organizations. Just how effective has it been?
Ransom demand and payment amounts skyrocketed in 2019
$84,116. According to Coveware, that's not the average amount demanded in Q4 2019. That's the average amount paid. Up from an average of $6,733 just 12 months prior.
That figure is heavily skewed by Ryuk and Sodinokibi (the median payment in Q4 2019 was $41,198). Demands from both of those actors can typically reach six or even seven figures, making even just a single successful attack potentially extremely lucrative.
Cases in point:
- Ryuk attackers extorted over $1 million in ransom from two Florida cities in just one week.
- A single Sodinokibi affiliate appeared to snag $287,000 in three days.
The amount of money being funneled back to these criminals to fund future attacks is deeply troubling, and the size and quantity of ransoms being paid is even causing insurance providers to raise their cyber-insurance rates as much as 25%.
Why are attackers so successful at convincing organizations to pay? The primary answer is downtime.
Attacks are increasingly causing extended periods of costly downtime
Beyond the jaw-dropping increase in ransom amounts, another extremely significant number pertaining to current ransomware attacks is 16.2 — that's the average number of days companies are experiencing infection-related downtime (again, according to Coveware).
It's no surprise, then, that the costs associated with ransomware-related downtime are also going up.
These figures are sobering. How many businesses (especially SMBs) can afford to lose $140,000, and experience more than two weeks of downtime and disruption?
They're also prompting organizations (and their insurance providers) to consider all options, especially when working backups aren't available. Even when working backups are available, however, there have been cases where organizations have determined that paying the ransom and taking a chance with decryption keys is potentially less costly than the time and effort it would take to restore their systems on their own.
Victim demographics: Who is being targeted?
While attacks on large organizations like Travelex and municipalities dominate the headlines, the truth is nearly two-thirds of ransomware victims in 2019 were small- and medium-sized businesses, who are obviously less well-defended and prepared to successfully manage an active infection.
For SMBs, it truly is a matter of not "if" but "when," with 20% of them reporting they've already experienced an attack.
In addition to SMBs and enterprises, municipalities, healthcare providers, and schools were extensively targeted in 2019, specifically due to their reputation for having outdated/vulnerable systems, a low tolerance for downtime, and a demonstrated willingness to pay ransoms.
An especially concerning trend for those of us in the MSP space is the spike in attacks specifically targeting managed services providers. According to insurance provider Beazley, one quarter of the ransomware incidents reported to them in Q3 2019 were found to have originated with an attack on their IT or managed services provider.
We covered the trend in detail in our webinar with Huntress Labs, "How MSPs Can Survive a Coordinated Ransomware Attack" and responded with our own security initiatives, including making two-factor authentication (2FA) mandatory for using NinjaRMM.
Initially, the trend was primarily driven by Sodinokibi actors, but by the end of the summer other actors had seen the opportunity and were getting in on the act.
The allure of compromising MSPs is obvious — doing so potentially gives attackers access to their powerful remote management tools and by extension, all of their clients. The MSP community is fighting back, however. MSPs and vendors across the space are proactively stepping up their game, calling for increased security from their peers, and are coming together to share vital threat intel.
What can you as a provider or customer of an MSP do your part and protect yourself?
How ransomware victims are getting infected, and what can we do about it
The good news is that, despite the growing maturity and sophistication of ransomware operations, the vast majority of attacks are preventable by doing five things:
- Secure RDP: Don't expose it to the Internet! Lock it down (how-to here).
- Disable Office macros (when feasible): Same goes for OLE and DDE (here's how)
- Enable MFA on everything: This helps prevent account takeovers and tool hijacking.
- Invest in email and DNS filtering: The goal is to protect end users by stripping out as much of the bad stuff as possible before it reaches them.
- Invest in patch management: Automate things as much as possible with a solution that can apply both Windows and third-party updates. This report shows that 57% of data breaches are attributed to poor patch management.
And of course, utilize a properly configured backup solution — and actually test recovering from backups at scale. Having multiple restore points and offsite replication is key. Remember Shrodinger’s Backup: “The condition of any backup is unknown until a restore is attempted.”
Obviously, this is just the tip of the iceberg as far as defensive activities are involved, but with the vast majority of ransomware being delivered by RDP compromise and emails (typically with malicious Office documents attached), doing even just these five things will drastically reduce your risk.
For more practical tips on preventing ransomware, see our Cybersecurity Checklist.
For more info on what to do in the immediate aftermath of a ransomware infection, see our webinar, "How MSPs Can Survive a Coordinated Ransomware Attack."