Coveware: Average Ransom Paid Jumps 60%; Sodinokibi, Maze, Phobos Dominate
Ransomware gangs continue to see bigger payoffs from their ransom-paying victims.
Comparing the first and second quarters of this year, the average ransom paid by a victim – when they paid – increased by 60%, rising from $111,605 to $178,254. So says ransomware incident response firm Coveware, in a new report that charts trends among its clients.
“New entrants entice cybercrime beginners with low upfront costs and little required technical expertise”
Coveware says the increase in the average ransom payoffs has been driven by several trends: “Big-game hunting,” increased data exfiltration and smaller players seeking bigger returns.
The ransomware operator landscape also continues to diversify. “In Q1, nearly 60% of ransomware attacks were carried out by the three most common variants – Sodinokibi, Maze and Phobos,” Coveware says. “However, in Q2 only 30% of attacks were attributed to the top three families. The rest were distributed among smaller and/or newer variants, such as Mamba, Snatch and DeathHiddenTear.”
From April to July, a number of new ransomware-as-a-service offerings also debuted, including LockBit, Lock2bits, MedusaLocker and Payment45. “These new entrants entice cybercrime beginners with low upfront costs and little required technical expertise,” Coveware says.
In addition, free, roll-your-own ransomware kits have further lowered the barrier to entry – even for individuals who don’t have deep technical skills, Coveware says. While such kits used to be common, they became much more scarce after many criminals moved away from crypto-locking ransomware beginning at the end of 2017, to focus instead on hacking for bitcoins as well as cryptocurrency mining.
Over the past couple of years, however, criminal interest in ransomware has once again risen.
Impact of the Pandemic
More recently, ongoing economic fallout from the COVID-19 pandemic may also have been driving some types of adoption. “It is also possible that the increase of RaaS usage is related to the economic impact of the coronavirus pandemic, driving more financially stressed individuals toward cybercrime,” Coveware says.
One illustration of this involves schools, which the firm says typically get targeted in July and August, before they reopen, by attackers who want to maximize the chance that they’ll get paid a ransom to unlock the systems.
This year, however, as schools suddenly shut their doors and shifted to remote-learning models, “the hastiness with which the shift occurred left many remote access vulnerabilities open,” Coveware says, noting that “the number of vulnerable and cheap school targets increased, and the attacks quickly followed.”
‘Big-Game Hunting’ Continues
One explanation for the ongoing rise in ransomware attacks since 2018 is the shift to “big-game hunting,” which refers to taking down big enterprises. In the ransomware sphere, the use of this tactic started in 2018 with BitPaymer and Ryuk using it as a way to maximize revenue by targeting large organizations. Before then, most ransomware attacks appeared to be scattershot affairs.
“Prior to big-game tactics, the ransomware sphere was dominated by opportunistic, spray-and-pray threat actors who rarely exercised victim profiling and issued nominal demands that remained constant whether the victim was a 10-person company or a 1,000 person enterprise,” Coveware says.
But the rise of more targeted ransomware attacks by some gangs allowed them to maximize the return on their investment of time and energy. More recently, Maze in particular has also focused on this strategy, Coveware says, noting that “six and seven-figure demands” are now common for these types of attacks.
Another big-game trend seen from April to June was Maze dramatically expanding its use of specialists to help it take down targets. “Maze currently relies on a host of other specialists to carry out and extort their victims,” Coveware says. “The specialists include people skilled in Tor cloud bulletproof hosting, cloud data storage and migration, front-end web development, and facilitating negotiations. All of these are separate skill sets, and Maze uses a network of different people in each of these groups to run their organization.”
More Data Exfiltration
In November 2019, Maze began exfiltrating data before crypto-locking systems, and more than a dozen other gangs have followed suit. The MO is to name and shame victims by posting their identity on a dedicated data-leaking site, then trickle out stolen data for organizations that don’t pay up quickly. Any organization that fails to pay can see all of its stolen data get dumped – or in some cases auctioned – to serve as a lesson to future victims.
“The reason that they’re creating leak sites is because the message got across, right? People, I believe, were paying less and less,” Raj Samani, chief scientist at McAfee, told me earlier this year (see: Ransomware Gangs Go (Lady) Gaga for Data Breaches).
As of June, nearly every Maze and Dopplepaymer (aka Doppelpaymer) attack included data exfiltration, as did one-quarter of Sodinokibi attacks, Coveware found.
Unfortunately, this strategy appears to be working. “Data exfiltration resulted in ransom payments from companies even where ransomware recovery from backups was possible,” it says.
RaaS Operations Seek Bigger Returns
Whereas ransomware such as Ryuk is tied to a specific gang, which uses and refines its own code for highly targeted attacks, other ransomware gets supplied via an affiliate model. These so-called ransomware-as-a-service operations involve operators developing and maintaining the code, then supplying it to affiliates, who infect endpoints. For any victim that pays a ransom, the operator and affiliate share the proceeds. In the case of the highly prevalent Sodinokibi – aka REvil – RaaS offering, operators take a 40% cut, falling to 30% after a handful of an affiliate’s victims have paid (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).
Historically, less-advanced attackers appeared to avail themselves more of RaaS approaches. But over the past year, at least, more advanced attackers have begun working with Sodinokibi and other players, targeting larger victims, and seeking bigger payoffs while still sharing proceeds. “For instance, Q2 marked the first series of six-figure ransom payments to the Dharma group, an affiliate ransomware platform that for years has kept pricing in the mid-to-low five figures, and lower,” Coveware says.
Top Attack Vectors: RDP, Phishing
To prevent ransomware attacks, security experts continue to recommend that all organizations store offline up-to-date backups, so they can wipe and restore systems in the event of a breach, as well as ensure all systems are running updated anti-virus programs and have the latest software updates and patches.
Preventing attackers from gaining a foothold in networks also remains essential.
Over the second quarter of this year, Coveware found that remote desktop protocol and email phishing attacks remained the top attack vectors, followed by the exploitation of software vulnerabilities. Targeting flaws in software seems to have decreased, it says, while noting that unless organizations have robust intrusion monitoring and logging in place, they may not know if attackers successfully exploited a vulnerability.
“An uptick in RDP and phishing comes as no surprise, given the increase in amateur, affiliate-based ransomware services; remote intrusion and malware delivery via phishing require little expertise,” Coveware says. Indeed, valid RDP credentials get regularly harvested via brute-force attacks, then sold for as little as $20 – or less – on cybercrime forums.
Cybercrime forum selling network access to a British company (Source: Trend Micro)
Organizations can take a number of steps to lock down RDP endpoints. Best practices include protecting them with strong passwords and multifactor authentication and restricting access to only corporate VPN users. Among other controls, RDP can be configured for network-level authentication, which requires a user to authenticate before they’re allowed to establish an RDP session.
One piece of good news from Coveware’s study is that larger organizations, at least, are more likely to have secured their RDP connections. Phobos, for example, often hits smaller targets via RDP. But for larger organizations, Maze typically uses phishing instead.
Unfortunately, many of these phishing attacks continue to be successful. “The phished employee’s account is used as an initial foothold to perform privilege escalation and network enumeration,” Coveware says. “Privilege escalation will be complete once admin credentials and control of a domain controller are obtained.” (See: Why Hackers Abuse Active Directory.)