As per the recent report by ransomware incident response organization Coveware, there is a 38% decline in the average ransom paid by victims of attacks from Q1 to Q2, 2021. Quarter 2’s average ransom payment of $136,576 indicates a 40% lower median payment of $47,008.
One of the major components that reduced ransom payments is a lesser incidence of attacks by two main ransomware groups, Ryuk and Clop. The two are regarded for their huge ransom demands. As opposed to many attacks being executed by one or two groups, there is currently a rising number of differing ransomware-as-a-service brands that usually require reduced ransom payments. In Q2, Sodinokibi (REvil) was the busiest RaaS operation doing 16.5% of attacks. The other ransomware groups activities are as follows: Conti V2 (14.4%), Avaddon (5.4%), Mespinoza (4.9%), and Hello Kitty (4.5%). Ryuk was just accountable for 3.7% of attacks and 3.3% of attacks for Clop.
Currently, the Sodinokibi gang has become silent subsequent to the Kaseya attack and seems to have been closed; nevertheless, the group has de-activated operations before only to reactivate with another ransomware variant. Even though the operators have retired, the affiliates that perform the attacks previously are possibly to just turn to a substitute RaaS operation therefore attack volume might not be impacted.
The most well-known vectors employed in attacks have been varying in the last couple of months. In Q1 of 2021, there was a rise in brute force attacks on Remote Desktop Protocol (RDP) while software vulnerabilities exploitation along with phishing attacks is going down. In Q2, RDP compromises and application vulnerability exploits equally diminished and email phishing went up, as phishing and RDP compromises right now are just as prevalent. The software program vulnerabilities exploitation is the attack vector chosen for specific attacks on big businesses, and those attacks are generally done only by the most innovative RaaS operations with high operating funds that permit them to obtain one-day exploits or purchase access to huge networks.
In Q2, over 75% of ransomware attacks were on companies with less than 1,000 staff. The reason is, these smaller firms are unlikely to invest in security awareness training for staffing and email security to prohibit phishing attacks. They are additionally more probable to reveal RDP online. Small firms are likewise more inclined to outsource security to MSPs. MSPs continue to be a big target, as an attack on an MSP can enable the attacker to then target all MSP’s customers.
The report has shown a drop in the efficiency of double extortion practices. This is where prior to file encryption, sensitive data are copied. Ransom demand is issued in exchange for the decryption key and an extra payment is demanded to stop the publicity or selling of stolen information. In Q2, 81% of attacks involve data exfiltration before encrypting files, higher than Q1’s 76%.
Nonetheless, payment to make sure of data removal is currently more improbable. In 2020, 65% of victims that could recover data from backups files compensated the attackers to avert the posting of stolen information, however, in Q2 of 2021 the percent was merely 50%.
The most hit industries in quarter 2 were the professional services (13.3%), healthcare (10.8%), and the public sector (16.2%). Coveware proposes that these sectors might not be particularly targeted, rather they are merely the least difficult to attack. For example, the number of attacks on law companies went up but that was mainly a result of the attack by the Clop ransomware group on Accellion File Transfer Appliances, which were disproportionately made use of by law agencies.
Coveware reports that the normal recovery time from a ransomware attack decreased by 15% in Q2, with victims normally experiencing 23 days of outages subsequent to an attack; nonetheless, this was ascribed to a rise in data-only attacks in which there’s no material business disruption.