Ryuk Sends Ransoms Rocketing

Ransoms are on the rise again as more expensive ransomware tips the scales, according to a new report released this week.

In February, we reported that anti-ransomware company Coveware saw the average ransom rise by 13% to $6733 in Q4 2018. That was just the beginning of a hockey-stick curve. Q1 2019 saw an 89% bump in the average ransom, which now totals $12,762, its latest report said.

The company puts the steep rise in ransoms down to new strains of ransomware such as Ryuk, Bitpaymer, and lencrypt. Cyber-criminals are using them in targeted attacks on larger enterprises, marking a move away from the spray-and-pray attacks that characterized earlier ransomware infections.

The ransom is only part of the cost, though. Infections also lead to downtime, which averaged $65,645, Coveware said. Average downtime increased to 7.3 days in Q1 from 6.2 days in Q4.

The problem facing companies is that new strains of ransomware are more difficult to decrypt, the company warned. The targeted attacks are also better at wiping or encrypting backup systems.

Ryuk is one of the main culprits. Derived from a commodity ransomware variant called Hermes, Ryuk had netted over 705.8 bitcoins across 52 transactions in the six months to January 2019, according to an analysis from CrowdStrike. At today’s prices, that equates to almost $3.8 million.

Hermes comes from the North Korean Lazarus Group, and researchers have guessed that Ryuk may also be under the Group’s control. CrowdStrike attributes it instead to GRIM SPIDER, a cell of a Russian criminal enterprise known as WIZARD SPIDER. The company has identified the latter’s Trickbot malware in multiple Ryuk infections, and it believes that this may be the initial method of compromise.

An advisory by the US Department of Health and Human Services said Ryuk ransoms were comparatively high, reaching up to 50 bitcoins. Attackers net $640,000 on average, it said, noting the suitability of the ransomware’s encryption scheme for small-scale operations.

“Attackers are required to complete extensive network mapping, lateral movement and credential collection prior to each operation,” it explained.

We shouldn‘t underestimate the effects of large enterprise ransomware attacks. Although we don’t know the ransomware strain that hit Norsk Hydro in March, the attack was bad enough to cost the aluminium and renewable energy company an estimated $41 m and to push back its Q1 2019 financial reporting.

The topic of Threats, Exploits and Vulnerabilities will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Threats, Exploits and Vulnerabilities here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.

What’s Hot on Infosecurity Magazine?