Ransomware Causes 15 Days of EHR Downtime, as Payments Avg $111K

May 04, 2020 - The average ransomware demand paid by organizations jumped 33 percent to nearly $112,000 between the last quarter of 2019 and the first quarter of 2020, according to Coveware’s Q1 ransomware market report. And about 14 percent of Q1 ransomware attacks impacted the healthcare sector.

Further, the average ransomware attack causes 15 days of downtime, down 7 percent from Q4 2020. Researchers stressed that hospitals are most at risk of EHR downtime after a ransomware attack  given the risk to patient care.

Coveware analysts reviewed more than 1,000 ransomware cases impacting clients during the first quarter and found the most successful attacks were leveraged against larger organizations given the increased likelihood for a higher ransom demand payment.

“Ransomware distributors increasingly targeted large enterprises and were successful in forcing ransom payments for the safe recovery of data,” researchers explained. “Large enterprise ransom payments are the minority by volume, but the size of the payments dramatically pulled up the average ransom payment.”

As a result, the median payment reached $44,021 in Q1, up slightly from Q4.

The most prevalent ransomware continues to be the notorious Sodinokibi variant. Hackers tailor their ransom to each target, as they’re known to target both large and small enterprises.

For example, one large organization may see a $1 million ransom demand, while the hackers will hit managed service providers (MSPs) with ransomware and attempt to extort connected end clients for between $5,000 to $10,000.

Coveware also determined Sodinokibi hackers are actively scanning for virtual private network (VPN) connections, echoing a recent FBI alert. As VPN use has skyrocketed during the COVID-19 pandemic, securing these platforms is crucial.

More notably, in more than 8.7 percent of the analyzed ransomware cases, hackers exfiltrated data from the victim organizations before. The FBI and other security researchers have repeated warned threat actors continue to steal data from their victims before deploying ransomware in increase the likelihood of payment.

Healthcare is a prime target for extortion attempts, with Maze hackers popularizing the destructive technique in the early fall. Coveware did note Maze hackers have been exfiltrated smaller amounts of data, but a host of other ransomware hacking groups have joined the trend including Sodinokibi and DopplePaymer, among others.

Sodinokibi, as well as Ryuk, drove the spike in ransomware as the most prevalent variants. Researchers noted that hackers are also progressively using Mamba, or HDDCryptor ransomware in more attacks.

“Mamba ransomware involves the combination of a boot-locker program and full disk encryption via commercial software,” researchers explained. “The bootloader screen is used as a ransom note. Decrypting the full disk encryption requires passwords that only the threat actor holds.”

The most common attack vector continues to be the remote desktop protocol. Often these servers run on vulnerable platforms, many organizations fail to segment. Kaspersky recently alerted to a drastic rise in brute-force RDP cyberattacks, driven by the increase in remote work during the COVID-19 pandemic.

RDP enterprise credentials can be found for sale on the dark web for just $20, and Coveware explained that when “combined with cheap ransomware kits, the costs to carry out attacks on machines with open RDP were too economically lucrative for criminals to resist.”

“Until the economics of carrying out ransomware balance (by either bringing the monetization success rates down or by making attacks prohibitively expensive) ransomware and cyber extortion will continue to gain prevalence,” Coveware explained.