New data shows that pushback from the ransomware victim “market” may be influencing just how much cybercriminals are asking for as ransom and are being paid.
2020 seemed to point to ransomware continuing to grow in devastation and cost; Ryuk reached a $34 million ransom payout, organizations were operationally brought to their knees by many of the prominent ransomware families, and the “as-a-Service” market for various parts of ransomware attacks – including the publishing of exfiltrated data – grew in interest.
But new data from security vendor Coveware in their Q4 2020 Quarterly Ransomware Report shows that phishing is now the prominent ransomware attack vector since RDP compromise is being prevented by potential victims.
There are also some shifts in payment amounts – fortunately in the favor of the victim organizations.
According to the report:
- The average ransom payment decreased 34% in Q4 of 2020 to $154,108 from $233,817 in Q3
- The median payment also decreased by 55% in the same timeframe from $110,532 to $49,450
- Threats to disclose exfiltrated data stepped up in Q4, with a whopping 70% of ransomware attacks using this tactic (up from 50% in Q3)
Coveware speculate this decline in payment amounts is due to the ability for organizations to better recover their locked environment. And with Coveware seeing that exfiltrated data doesn’t appear to be credibly destroyed by the cybercriminal (and instead appear to be found in the hands of multiple parties, implying it’s been sold on the dark web), there is less emphasis on the option to pay the ransom and stop the publishing of the stolen data.
Phishing took over from RDP as the top overall initial attack vector, with the top attack vector varying between ransomware families. RDP picked up steam during the pandemic as many organizations sought to quickly provide remote access to their now remote workforce. Phishing has moved up as the quickest route to get malicious code into an organization and in front of an unwitting victim user.
If you haven’t heard it yet: stop using Internet-facing RDP. Changing the ports isn’t enough; it’s time to pick another more secure technology. And for phishing, many ransomware attacks continue to make it through your email filters. You need to block attacks that have made it in your users' inbox. Turn your users into a strong human firewall with new-school security awareness training and enable your users to make smart security decisions every day.