9738888867?profile=RESIZE_400xWhen a business, government agency or any other organization gets hit by ransomware and opts to pay a ransom to its attacker in exchange for a decryption key or some other promise, on average it pays $140,000.  This is the average amount disclosed by ransomware incident response firm Coveware, based on thousands of incidents it investigated from July through August 2021.

In a new report detailing Q3 trends, Coveware says that the average ransom payment remained largely steady, compared to Q2, while the median increased by more than 50%.  This shift, it says, started after a number of high-profile attacks that began in May, including DarkSide disrupting U.S.based Colonial Pipeline, causing consumers to panic-buy fuel. Not long after, REvil aka Sodinokibi attacked meat processing giant JBS, and over the 4th of July holiday weekend, it hit remote management software firm Kaseya's software, used by managed service providers, to encrypt and hold to ransom systems used by more than 1,500 of those MSPs' customers.

The attacks sparked a furious political response from the Biden administration and other governments, initiating international efforts to target ransomware attackers via law enforcement, disrupt cryptocurrency operators to decrease  profits, and focus on improving the cybersecurity resilience of domestic businesses. The White House has also been increasing diplomatic pressure on Moscow to crack down on cybercriminals operating from inside Russia's borders.

Maybe inn response to the increased pressure, DarkSide ceased operations, rebranding itself as BlackMatter. REvil went offline in July 2021 for unexplained reasons, before resurfacing in September 2021. The same month, security firm Bitdefender received from law enforcement officials the keys that enabled it to build and release a free decryptor for almost all REvil infections dating from July and before. In October, REvil's infrastructure went offline again, with an administrator claiming operators pulled the plug after someone hijacked REvil's Tor-based data leak and payment portal sites.

The ransomware attack landscape has continued to shift in other ways. "Ever since the pipeline attacks this spring, we have seen statistical evidence and intelligence showing that ransomware actors are trying to avoid larger targets that may evoke a national political or law enforcement response," Coveware says. "This shift from 'big game hunting' to 'mid game hunting' is personified in both the ransom amount statistics but also the victim size demographics from the quarter."

Based on its Q3 2021 investigations, Coveware says small and midsize professional services firms and especially law firms and financial services firms appear to be most at risk from ransomware attacks, due to their lack of information security experience, because they believe they are too small to be targeted.

In reality, ransomware attackers seeking illicit profits generally do not target any particular organization, but rather look more broadly for poorly prepared sectors that offer maximum opportunity for returns, which has made small and midsize professional services firms "a lightning rod for attacks," Coveware says.  At the same time, while efforts being brought to bear to disrupt ransomware are welcome, so far they do not appear to be having any discernable effect.

"Ransomware industry actors face little to no risk when carrying out attacks," it says. "There is effectively zero downside to becoming a ransomware affiliate and the extortion economy is attracting new entrants every day. Until the economics are disrupted and the risks start to outweigh the rewards, the problem will persist and grow."

The top ransomware strains seen by the firm in Q 2021 were ContiMespinoza, Sodinokibi aka REvil, LockBit 2.0 and Hello Kitty. All are Ransomware-as-a-Service operations, meaning a core group of developers and administrators maintains the malware and any dedicated data leak site and recruits affiliates to infect victims. Whenever a victim pays, the responsible affiliate and ransomware operator are meant to share in the profits.  REvil, recently got caught out for having included a backdoor in its malware, allowing administrators to steal affiliates' share cuts.

In terms of tactics, techniques and procedures, or TTPs, being wielded by attackers, 83% of all ransomware attacks in Q3 2021 are up from 80% in Q2 included a threat to leak stolen data. But security experts continue to warn that attackers often lie about having stolen data that has any value.  Really, ransomware actors lie?  In addition, paying a ransom in whole or part for a promise from attackers to delete stolen data comes with no guarantees. Security experts warn that businesses that do pay a ransom will often face an additional monetary demand from the same set of attackers or get hit again by the same operation, or a different one, looking to capitalize on the victim's propensity to pay.

How can organizations better defend themselves against ransomware, based on recent attack trends?  "Securing a large enterprise network is an endless task," Coveware says. "However, the rate at which ransomware threat actors reuse TTPs presents an opportunity for defenders to select areas of weakness that can be addressed quickly and cost effectively," keeping in mind that successful attacks always require chaining together multiple tactics.

Initial access trends have remained largely steady in recent years: Poorly secured remote desktop access aka RDP and phishing attacks remain the top two tactics used by ransomware-wielding criminals to gain initial access to a victim's network. But Coveware says more attacks than before are also targeting known vulnerabilities in software.  "By identifying opportunities along the kill chain to halt these attacks, enterprises can opportunistically reduce risk," Coveware says.

The following is what Red Sky Alliance recommends:

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Implement 2-Factor authentication-company wide.
  • For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.


Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com 

Weekly Cyber Intelligence Briefings:


Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


Download Article



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance