Ransomware victims who opt to pay their attackers for the promise of a decryption key forked over.
According to CEO Bill Siegel of Coveware, his firm handled negotiations for all ransoms that its customers – both individuals and organizations – chose to pay. However, he cautions that not all payments resulted in victims receiving a decryption key.
The increase in the average ransom demand may trace to attackers more often targeting specific firms.
Coveware also notes that last year, ransomware strains such as SamSam and Ryuk, which demanded higher-than-average ransom payments, infected a greater portion of victims than before.
For victims who were able to identify the source of their ransomware infection, Coveware says 85 percent traced to RDP; where as, 14 percent traced to phishing and 2 percent to another form of social engineering.
Although ransomware attackers still prefer bitcoin, about 95 percent of all ransomware infections observed by Coveware at the end of 2018 demanded payment in bitcoin.
Security experts and police recommend that ransomware victims never pay, warning that doing so directly funds cybercrime and further ransomware research and development.
When victims do pay – in exchange for the promise of a decryption key – they also face the risk that their attacker may not honor that promise.
FBI warns that paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom.
Decryptors: Dharma Disappoints
Of course, if too many attackers fail to give the victims a working decryption tool, that’s a disincentive for future victims to even consider paying. But that can be small comfort to individual victims who might pay and still never see their data again.
When attackers do furnish decryptors, they also have differing rates of success. The average data recovery rate when a working tool is delivered is about 95 percent..
Thieves Keep Targeting Backups
Security experts encourage all computer users to keep backups of their systems so they can be wiped and restored in the event that they suffer a crypto-locking malware attack. Having up-to-date backups, victims will not consider paying attackers for the promise of a decryptor.
Modern ransomware often includes the ability to crypto-lock not just a system, but also any network share. Therefore, it’s crucial that systems be backed up to drives or network shares that will then be completely disconnected from the system being backup up.
According to Coveware, about 75 percent of ransomware victims who paid a ransom from October to December 2018 had also lost their backups to the crypto-locking attack, up from 54 percent the prior quarter.