Not all security breaches are designed to steal data. Instead, an increasing number these days are programmed to hold data hostage. And the sums demanded by the malefactors behind so-called ransomware attacks are rising fast. The average ransom in the first quarter came to $12,762, up 89% just from the fourth quarter, according to data released this week by Coveware Inc., a Westport, Conn.-based data-security firm specializing in ransomware recovery.
The costs go beyond the actual ransom payment. The average downtime sustained by victimized companies increased in the first quarter to 7.3 days from 6.2 days in the fourth quarter. That downtime cost victims $65,645 on average, according to the report.
In a ransomware attack, cybercriminals encrypt a firm’s data and then demand payment, usually in a cryptocurrency like Bitcoin, for the decryption key. The hackers gain access most often via a connection called remote desktop protocol, which in its benign uses allows IT professionals to access clients’ systems without having to be onsite. This so-called attack vector accounted for nearly 64% of ransomware attacks in the January-to-March quarter.
Phishing attacks, typically launched via email, were the vector in 30% of cases, with software weaknesses accounting for the remainder. For the fourth quarter, the number of unique phishing reports received by the Anti-Phishing Group, a cross-industry research organization, totaled 239,910, down from 264,483. But the reason for the drop, says the APWG in its latest quarterly report, is that it’s getting harder to detect phishing sites “because phishers are obfuscating phishing URLs with multiple redirections.”
Financial-services firms sustained 3.4% of ransomware attacks in the first quarter, according to the Coveware data, while retailers were victimized in 5.2% of cases and consumer services in 6%. The biggest victims were professional-services firms (22.4%) and companies offering software services (17.2%).
But even if victims pay up, they don’t always recover their data. The Coveware report indicates that the decryption key received after sending the ransom failed in 4% of cases. “Files and servers can be damaged during or after the encryption process and this can affect data-recovery rates even when a decryptor tool is delivered,” the report says.
Also, even if the tool works, firms don’t always get all of their data back. Recovery averaged 93% in the quarter, according to the report, which notes, “sometimes the decryption tools are simply prone to error.”
Of course, firms can always protect against ransomware attacks by backing up their data. But, depending on how much data must be copied and on how many servers, it sometimes turns out to be cheaper to pay the ransom, experts caution.