WESTPORT, Conn.–The average ransom paid by victims in ransomware attackers reached $111,605 in the first quarter of this year, up 33% from the previous quarter, according to new data from ransomware incident response firm Coveware.
In addition, every attacker now typically demands a ransom payment only in bitcoins, the report states.
The report from Coveware examining first quarter trends among its clients found 8.7% of the more than 1,000 ransomware cases the firm worked on involved attackers stealing data from an organization and threatening to release it publicly unless victims paid the ransom demand.
According to Coveware, while Maze was the first gang to practice the tactic in late 2019, and used it in 99% of cases, it has shifted its focus to smaller targets and has been exfiltrating less data.
Other gangs that have been using this tactic in recent months include Sodinokibi, DopplePaymer, Mespinoza, Netwalker, CLoP, Nephilim and Sekhmet, the company is reporting.
Most Common Ransomware
Coveware said that first quarter of 2020, similar to the fourth quarter of 2019, Sodinokibi, aka REevil, was the most common type of ransomware tied to successful attacks among Coveware's clients. The ransomware-as-a-service operation provides customized versions of crypto-locking code to each affiliate, keyed to a unique ID. Whenever a victim pays, the affiliate gets a 60% cut, rising to 70% after a few successful payments get received, while the operators pocket the rest, Coveware said.
The next most prevalent strains of ransomware seen in the first quarter were Ryuk and Phobos, Coveware said, adding ransoms tied to Phobos remained broadly consistent, while attackers wielding Ryuk began to demand greater ransom amounts - both initially and in their final-offer demands - despite hitting, on average, smaller companies.
Smaller Demands
"A single large organization may have a $1 million ransom demand," the Coveware report states. "Other times, Sodinokibi targeted a managed service provider's clients and tried to extort each individual end client for $5,000 to $10,000."
Some Sodinokibi affiliates have also been actively scanning for vulnerable VPN installations. CUToday.info reported earlier that the FBI has issued warnings that scammers have been targeting employees working from home as a weak spot in networks.