Ransomware Payday: Average Payments Jump to $178,000

Mathew J. Schwartz (euroinfosec) • August 18, 2020    

Ransomware Payday: Average Payments Jump to $178,000

Ransomware gangs continue to see bigger payoffs from their ransom-paying victims.

Comparing the first and second quarters of this year, the average ransom paid by a victim – when they paid – increased by 60%, rising from $111,605 to $178,254. So says ransomware incident response firm Coveware, in a new report that charts trends among its clients.

“New entrants entice cybercrime beginners with low upfront costs and little required technical expertise” 

Coveware says the increase in the average ransom payoffs has been driven by several trends: “Big-game hunting,” increased data exfiltration and smaller players seeking bigger returns.

The ransomware operator landscape also continues to diversify. “In Q1, nearly 60% of ransomware attacks were carried out by the three most common variants – Sodinokibi, Maze and Phobos,” Coveware says. “However, in Q2 only 30% of attacks were attributed to the top three families. The rest were distributed among smaller and/or newer variants, such as Mamba, Snatch and DeathHiddenTear.”

From April to July, a number of new ransomware-as-a-service offerings also debuted, including LockBit, Lock2bits, MedusaLocker and Payment45. “These new entrants entice cybercrime beginners with low upfront costs and little required technical expertise,” Coveware says.

In addition, free, roll-your-own ransomware kits have further lowered the barrier to entry – even for individuals who don’t have deep technical skills, Coveware says. While such kits used to be common, they became much more scarce after many criminals moved away from crypto-locking ransomware beginning at the end of 2017, to focus instead on hacking for bitcoins as well as cryptocurrency mining.

Over the past couple of years, however, criminal interest in ransomware has once again risen.

Impact of the Pandemic

More recently, ongoing economic fallout from the COVID-19 pandemic may also have been driving some types of adoption. “It is also possible that the increase of RaaS usage is related to the economic impact of the coronavirus pandemic, driving more financially stressed individuals toward cybercrime,” Coveware says.

One illustration of this involves schools, which the firm says typically get targeted in July and August, before they reopen, by attackers who want to maximize the chance that they’ll get paid a ransom to unlock the systems.

This year, however, as schools suddenly shut their doors and shifted to remote-learning models, “the hastiness with which the shift occurred left many remote access vulnerabilities open,” Coveware says, noting that “the number of vulnerable and cheap school targets increased, and the attacks quickly followed.”

‘Big-Game Hunting’ Continues

One explanation for the ongoing rise in ransomware attacks since 2018 is the shift to “big-game hunting,” which refers to taking down big enterprises. In the ransomware sphere, the use of this tactic started in 2018 with BitPaymer and Ryuk using it as a way to maximize revenue by targeting large organizations. Before then, most ransomware attacks appeared to be scattershot affairs.

“Prior to big-game tactics, the ransomware sphere was dominated by opportunistic, spray-and-pray threat actors who rarely exercised victim profiling and issued nominal demands that remained constant whether the victim was a 10-person company or a 1,000 person enterprise,” Coveware says.

But the rise of more targeted ransomware attacks by some gangs allowed them to maximize the return on their investment of time and energy. More recently, Maze in particular has also focused on this strategy, Coveware says, noting that “six and seven-figure demands” are now common for these types of attacks.

Source: Coveware

Another big-game trend seen from April to June was Maze dramatically expanding its use of specialists to help it take down targets. “Maze currently relies on a host of other specialists to carry out and extort their victims,” Coveware says. “The specialists include people skilled in Tor cloud bulletproof hosting, cloud data storage and migration, front-end web development, and facilitating negotiations. All of these are separate skill sets, and Maze uses a network of different people in each of these groups to run their organization.”

More Data Exfiltration

In November 2019, Maze began exfiltrating data before crypto-locking systems, and more than a dozen other gangs have followed suit. The MO is to name and shame victims by posting their identity on a dedicated data-leaking site, then trickle out stolen data for organizations that don’t pay up quickly. Any organization that fails to pay can see all of its stolen data get dumped – or in some cases auctioned – to serve as a lesson to future victims.

“The reason that they’re creating leak sites is because the message got across, right? People, I believe, were paying less and less,” Raj Samani, chief scientist at McAfee, told me earlier this year.

Source: Coveware

As of June, nearly every Maze and Dopplepaymer (aka Doppelpaymer) attack included data exfiltration, as did one-quarter of Sodinokibi attacks, Coveware found.

Unfortunately, this strategy appears to be working. “Data exfiltration resulted in ransom payments from companies even where ransomware recovery from backups was possible,” it says.

RaaS Operations Seek Bigger Returns

Whereas ransomware such as Ryuk is tied to a specific gang, which uses and refines its own code for highly targeted attacks, other ransomware gets supplied via an affiliate model. These so-called ransomware-as-a-service operations involve operators developing and maintaining the code, then supplying it to affiliates, who infect endpoints. For any victim that pays a ransom, the operator and affiliate share the proceeds. In the case of the highly prevalent Sodinokibi – aka REvil – RaaS offering, operators take a 40% cut, falling to 30% after a handful of an affiliate’s victims have paid.

Historically, less-advanced attackers appeared to avail themselves more of RaaS approaches. But over the past year, at least, more advanced attackers have begun working with Sodinokibi and other players, targeting larger victims, and seeking bigger payoffs while still sharing proceeds. “For instance, Q2 marked the first series of six-figure ransom payments to the Dharma group, an affiliate ransomware platform that for years has kept pricing in the mid-to-low five figures, and lower,” Coveware says.

Top Attack Vectors: RDP, Phishing

To prevent ransomware attacks, security experts continue to recommend that all organizations store offline up-to-date backups, so they can wipe and restore systems in the event of a breach, as well as ensure all systems are running updated anti-virus programs and have the latest software updates and patches.

Preventing attackers from gaining a foothold in networks also remains essential.

Over the second quarter of this year, Coveware found that remote desktop protocol and email phishing attacks remained the top attack vectors, followed by the exploitation of software vulnerabilities. Targeting flaws in software seems to have decreased, it says, while noting that unless organizations have robust intrusion monitoring and logging in place, they may not know if attackers successfully exploited a vulnerability.

Source: Coveware

“An uptick in RDP and phishing comes as no surprise, given the increase in amateur, affiliate-based ransomware services; remote intrusion and malware delivery via phishing require little expertise,” Coveware says. Indeed, valid RDP credentials get regularly harvested via brute-force attacks, then sold for as little as $20 – or less – on cybercrime forums.

Cybercrime forum selling network access to a British company (Source: Trend Micro)

Organizations can take a number of steps to lock down RDP endpoints. Best practices include protecting them with strong passwords and multifactor authentication and restricting access to only corporate VPN users. Among other controls, RDP can be configured for network-level authentication, which requires a user to authenticate before they’re allowed to establish an RDP session.

One piece of good news from Coveware’s study is that larger organizations, at least, are more likely to have secured their RDP connections. Phobos, for example, often hits smaller targets via RDP. But for larger organizations, Maze typically uses phishing instead.

Source: Coveware

Unfortunately, many of these phishing attacks continue to be successful. “The phished employee’s account is used as an initial foothold to perform privilege escalation and network enumeration,” Coveware says. “Privilege escalation will be complete once admin credentials and control of a domain controller are obtained.”

The realities of ransomware: Five signs you’re about to be attacked

Peter Mackenzie – Sophos

A manager on the Managed Threat Response team explains what to expect when you’re expecting a ransomware attack

Whenever we work with ransomware victims, we spend some time looking back through our telemetry records that span the previous week or two. These records sometimes include behavioral anomalies that (on their own) may not be inherently malicious, but in the context of an attack that has already taken place, could be taken as an early indicator of a threat actor conducting operations on the victim’s network.

Listen to this article on SoundCloud!

If we see any of these five indicators, in particular, we jump on them straight away. Any of these found during an investigation is almost certainly an indication that attackers have poked around: to get an idea of what the network looks like, and to learn how they can get the accounts and access they need to launch a ransomware attack.

Attackers use legitimate admin tools to set the stage for ransomware attacks. Without knowing what tools administrators normally use on their machines, one could easily overlook this data. In hindsight, these five indicators represent investigative red flags.

1 – A network scanner, especially on a server.

Attackers typically start by gaining access to one machine where they search for information: is this a Mac or Windows, what’s the domain and company name, what kind of admin rights does the computer have, and more. Next, attackers will want to know what else is on the network and what can they access. The easiest way to determine this is to scan the network. If a network scanner, such as AngryIP or Advanced Port Scanner, is detected, question admin staff. If no one cops to using the scanner, it is time to investigate.

A network scanner found among a repository of tools used by Netwalker ransomware

2 – Tools for disabling antivirus software.

Once attackers have admin rights, they will often try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter. These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared.

3 – The presence of MimiKatz

Any detection of MimiKatz anywhere should be investigated. If no one on an admin team can vouch for using MimiKatz, this is a red flag because it is one of the most commonly used hacking tools for credential theft. Attackers also use Microsoft Process Explorer, included in Windows Sysinternals, a legitimate tool that can dump LSASS.exe from memory, creating a .dmp file. They can then take this to their own environment and use MimiKatz to safely extract user names and passwords on their own test machine.

Mimikatz and related PowerShell scripts used to launch it, found among a repository of tools used by the Netwalker ransomware threat actors

4 – Patterns of suspicious behavior

Any detection happening at the same time every day, or in a repeating pattern is often an indication that something else is going on, even if malicious files have been detected and removed. Security teams should ask “why is it coming back?” Incident responders know it normally means that something else malicious has been occurring that hasn’t (as of yet) been identified.

5 – Test attacks

Occasionally, attackers deploy small test attacks on a few computers in order to see if the deployment method and ransomware executes successfully, or if security software stops it. If the security tools stop the attack, they change their tactics and try again. This will show their hand, and attackers will know their time is now limited. It is often a matter of hours before a much larger attack is launched.