The criminals behind ransomware attacks are becoming dramatically bolder. The average payment demanded in fourth-quarter attacks reached $84,116, more than double the average sum in the third quarter, according to the latest data from Coveware Inc., a Westport, Conn.-based cybersecurity firm that tracks data from cases it has handled.
Worse yet, that average ransom has been rising with frightening speed. Perpetrators extracted an average payment of $6,754 as recently as the fourth quarter of 2018. That number nearly doubled to more than $12,000 in the first quarter last year and then had soared to more than $41,000 by the third quarter. These are dollar averages, but perpetrators typically demand payment in Bitcoin.
Nor do the costs end with the ransom. Victims, which range from large enterprises to small organizations, also must reckon with the toll for remediation of a network and associated hardware, revenue lost from the business interruption, and potential damage to the brand, Coveware says in its report, released Monday. Downtime alone is growing more problematic, with average days systems were down growing to 16.2 in the fourth quarter from 12.1 in the third.
And now the headaches are quickly multiplying. In a typical ransomware attack, perpetrators don’t steal data. Instead, they use encryption software to scramble the data and then demand payment for the encryption key. Now, in a new twist, perpetrators are starting to pull the locked data into their own systems and threatening to release it publicly if they aren’t paid, according to Coveware. “[T]his new complication brings forth the potential costs of 3rd party claims as a result of the data breach,” the company says in its report.
As the menace spreads, no organization has proven to be safe. In August, news broke that more than 20 cities in Texas had been victimized, accounting for more than a third of all attacks on municipalities at the time . In recognition of the seriousness of the plague and its potential impact on payments, Mastercard Inc. in July became the first payment card network to join an Interpol initiative called NoMoreRansom, which helps victims recover their files. Interpol supports law-enforcement agencies in the European Union.
If there’s any good news in the latest report, it’s that 98% of organizations that paid the ransom in the fourth quarter received the decryption key. Among those that paid for and received the key, the portion of data successfully decrypted was 97%, up slightly from the third quarter. In a touch of irony, more sophisticated criminals are now at work in ransomware, so the results for paying victims are improving. “[We] tend to see better outcomes with more sophisticated attackers,” the Coveware report says.
The report indicates that no industry is safe, but some are victimized far more frequently than others. Software services, professional services, and health care combined accounted for just over half of all attacks in the fourth quarter, but the public sector, as exemplified by those towns in Texas, was attacked in 10.4% of cases.