Cybersecurity firm Crypsis Group has published findings showing massive growth in the sums of cryptocurrency demanded by ransomware attackers from 2018 to 2019. Due to their largely untraceable natures, Cryptocurrencies tend to be a favorite method of payment among ransomware attackers.
Indeed, according to the company’s 2020 Incident Response and Data Breach Report, amounts have grown to the tune of roughly 200%--in 2019, the average ransomware demand was an eye-popping $115,123. If the trend from 2018 to 2019 continues, the average demand in 2020 could be as much as $230,000.
A shift toward larger victims with “deeper pockets”
Crypsis says that one of the reasons that the sum has risen so much is that ransomware attackers are shifting their focus towards larger entities.
Instead of targeting individuals for pithy sums of a few thousand dollars apiece, ransomware attackers are increasingly focused on larger prey: more and more of their victims are enterprises.
Indeed, “since 2018, threat actors have evolved from deploying mass-distributed Phishing campaigns with lower ransom demands to highly-targeted, well-researched attacks on larger enterprises with deeper pockets,” Crypsis’ report explained.
Specifically, Crypsis found that the Healthcare sector was “the most affected” by ransomware attacks--22% of Crypsis’ 2019 ransomware matters had to do with healthcare companies; the manufacturing sector came in second, with 13%.
As security measures have improved, attackers’ tactics have gotten more severe
The 200% increase in ransom demands by ransomware providers could be representative of the fact that fewer victims are willing to pay up now than in the past---in other words, since fewer victims are willing to pay attackers, attackers have increased their fees, hoping to net a larger gain when a victim does actually pay up.
Additionally, as enterprises have continued to bolster their security measures, ransomware attackers have upped the anti: “more incidents have included the deletion or disablement of backups, as well as the threat of releasing sensitive data publicly,” Crypsis reported. “The threat actor group known for deploying 'The Maze' ransomware is leading the way in extortionate tactics, but others are getting into the game.”
Crypsis said that this change in tactics could “represent a tactical shift in response to stronger enterprise security defenses and an associated reduction in organizations’ willingness to pay.”
Ransomware attackers are also exploring other tactics, including the exploitation of the desperation of victims of other ransomware: per Bleeping Computer and Michael Gillespie, Finance Magnates recently reported that ‘Zorab’, a new kind of ransomware, poses as a decryption tool for victims of ransomware encryption attacks, leaving victims with doubly-encrypted files.
“We absolutely do not care about you and your deals, except getting benefits,” a ransom note from the creators of the ransomware reads.