Based on the newest report from ransomware incident response firm Coveware, there is a 38% decline in the average ransom payment made by victims of ransomware attacks between Q1 and Q2, 2021. Q2’s average ransom payment of $136,576 shows a 40% less median payment of $47,008.
One of the important elements that lowered ransom payments is a lower frequency of attacks by two major ransomware operations, Ryuk and Clop. Both are well-known for their big ransom demands. Instead of lots of attacks being carried out by a couple of groups, there is right now an increasing number of different ransomware-as-a-service brands that usually ask for lesser ransom payments. In Q2, Sodinokibi (REvil) was the biggest RaaS operation executing 16.5% of attacks. The other groups and their activities are as follows: Hello Kitty (4.5%), Mespinoza (4.9%), Avaddon (5.4%) and Conti V2 (14.4%). Ryuk was just liable for 3.7% of attacks and Clop 3.3%.
At this point, the Sodinokibi gang has turned silent after the Kaseya attack and appears to have been closed; nevertheless, the group has de-activated operations previously only to restart with a different ransomware variant. Even when the operators have retired, the affiliates that carry out the attacks before are probably to just transition to an alternate RaaS operation thus attack volume may not be affected.
The most typical vectors utilized in attacks are ever-changing over the past few months. In Q1, 2021 there were more brute force attacks on Remote Desktop Protocol (RDP) whereas software vulnerabilities exploitation using phishing attacks is decreasing. In Q2, RDP compromises and software program vulnerability exploits each decreased, and email phishing is higher, with phishing and RDP compromises currently similarly common. The software vulnerabilities exploitation is the attack vector preferred for targeted attacks on huge enterprises, and those attacks are usually performed only by the most advanced RaaS operations with big operating budgets that permit them to buy single-day exploits or buy access to big networks.
In Q2, more than 75% of ransomware attacks were on companies with fewer than 1,000 workers. This is because these smaller organizations are more unlikely to spend on security awareness training for the employees and email security to prevent phishing attacks. They are additionally more probable to disclose RDP to the Internet. Smaller firms are likewise more inclined to delegate security to MSPs. MSPs are still a key target, as an attack on an MSP can enable the attacker to then strike all MSP’s clients.
The report shows a drop in the effectiveness of double extortion strategies. This is where prior to file encryption, sensitive data is being exfiltrated. Ransom demand is set in exchange for the decryption key and another payment is asked to prevent the publishing or sale of stolen information. In Q2, 81% of ransomware attacks involving data exfiltration before encrypting files, increased from 76% in Q1.
Nevertheless, payment to make certain of data deletion is now more unlikely. In 2020, 65% of victims that could retrieve data from backups paid the attackers to avoid the publicity of stolen information, but in Q2 of 2021, the percentage was just 50%.
The most targeted industry sectors in quarter 2 were the professional services (13.3%), healthcare (10.8%), and the public sector (16.2%). Coveware advises that these industries may not be specifically targeted, instead they are merely the simplest to attack. For instance, the number of attacks on law companies is higher but that was mostly because of the attack by the Clop ransomware group on Accellion File Transfer Appliances, which were disproportionately utilized by law agencies.
Coveware reports that the typical outages from a ransomware attack dropped by 15% in Q2, with victims normally having 23 days of downtime right after an attack; nonetheless, this was credited to higher data-only attacks wherein there’s no material business interruption.