Advisen FPN

Advisen Cyber FPN - Wednesday, May 6, 2020

Cybercriminals took advantage of pandemic disruption, average ransom rises to $111K


Cybercriminals took advantage of pandemic disruption, average ransom rises to $111K

By Erin Ayers, Advisen

The average ransomware payment rose to $111,605 in the first quarter of 2020, up 33 percent from the fourth quarter of 2019, as cybercriminals succeeded in netting higher sums from large businesses, according to the latest data from Coveware.

“During the first quarter of 2020 ransomware threat actors took advantage of the economic and workplace disruption caused by the COVID-19 outbreak. Spam attacks related to the outbreak surged and seldom used ‘work-from-home’ network configurations led to increased ransomware attacks across the board. Some threat actor groups continued attacking healthcare organizations, while others refused to target them,” stated Coveware in its report.

While larger businesses skewed the average ransom payment higher, they tend to be in the minority of targets by volume, Coveware noted. The median ransom payment increased modestly to $44,021 in Q1, up from $41,179 in Q4, indicating that most ransom payments are well below the average. The firm noted that small businesses continue to bear the brunt of ransomware events, with targets’ median size at about 62 employees.

School systems and other public entities increased as targets, with cybercriminals ramping up their usual cycle ahead of time. Public entities represented 12 percent of attacks, with 50 percent of those being schools.

“Typically, school systems are targeted over the summer. The timing is designed to force the company to pay before school begins,” said Coveware. “The rotation into targeting schools in March was likely precipitated by the COVID-19 pandemic which forced most school systems to rapidly offer remote learning. The hasty switch caused many schools to leave themselves vulnerable to attack, and ransomware actors took full advantage during Q1.”

Coveware’s research found that Sodinokibi, Ryuk, and Phobos continue to be the most common types of ransomware faced by targeted firms, but these strains shifted during the first quarter. Sodinokibi, normally used to attack smaller managed service providers, was seen in attacks on larger businesses and to take advantage of VPN (virtual private network) vulnerabilities. The average size of victims for Ryuk, typically found in sophisticated spear phishing attacks on large enterprises, dropped by a third – although the ransom demands increased. And Phobos, usually seen in compromised remote desk protocols (RDP) with low ransom demands, was successfully lobbed against larger businesses.

Coveware identified a trend toward combining ransom with data exfiltration and threats to expose firms’ data in the first quarter. While “virtually non-existent” as a strategy before 2020, it became prevalent in the first quarter and Coveware warned it is likely to continue as a method to get targets to pay even if they can recover their own data. In situations where ransom payments were made, 99 percent of victims recovered their data. – however, Coveware noted that the firm has had success in helping victims avoiding paying threat actors that are likely to default on decryption promises.

Severity and duration of an attack have the biggest effect on ultimate cost of a ransomware event and downtime dropped slightly to 15 days in the first quarter of 2020, Coveware reported.

“Even though the average stabilized, two weeks of impaired productivity is a substantial amount of time for any business,” said the firm. “Business interruption costs from downtime are the largest pain point for companies impacted by a ransomware attack.”

Editor Erin Ayers can be reached at

Safety National
Guidewire Cyence™ Risk Analytics