Ransomware Costs Double on the Backs of Sodinokibi and Ryuk

Ransomware continues to be a major bane facing enterprises and government organizations, with the latest high profile victim being Travelex. The currency exchange suffered a Sodinokibi attack, which left some of the company’s online services offline for three weeks. Another new worry for those tasked with securing networks is that ransomware operators are now not only encrypting data but stealing it and threatening, in some cases actually, releasing the data to the public. Researchers spend time analyzing the code behind the malware but what of the costs associated with an infection? Often for CEOs, CFOs, and stakeholders this is often the most important factor when looking to come through such an infection relatively intact.

Coveware, a security firm specializing in all aspects of ransomware, often answers that very same question. In a recent report, researchers have analyzed and compiled data from the fourth quarter of 2019 that give insight into the costs associated with ransomware attacks.

Ransomware Costs Double on the Backs of Sodinokibi and Ryuk

The report does not make for good reading if the reader is hoping for some good news. It is necessary reading though. Costs in Q4 have more than doubled over the previous quarter in terms of ransom payments. The company noted,

“In Q4 of 2019, the average ransom payment increased by 104% to $84,116, up from $41,198 in Q3 of 2019. While the median ransomware payment in Q4 was $41,179, the doubling of the average reflects the diversity of the threat actors that are actively attacking companies. Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout. For instance, Ryuk ransom payments reached a new high of $780,000 for impacted enterprises. On the other end of the spectrum, smaller ransomware-as-a-service variants such as Dharma, Snatch, and Netwalker continue to blanket the small business space with a high number of attacks, but with demands as low as $1,500.”

Those figures are headline generators in themselves, however, statistics regarding company downtime make for equally bleak reading. It was discovered that the average downtime in Q4 increased to 16.2 days from 12.1 days in the previous quarter. It was determined that the increase in downtime was driven by attacks on larger enterprises which often take weeks to fully remediate. This is due in part to larger networks have larger and far more complex networks. Further, it is also driven by advances in the ransomware used to infect such networks. Ryuk, for example, began using a “Wake-On-LAN” feature which would turn on devices within a compromised network that were initially off. This allows the attacker to turn on machines that would typically be turned off during closed office hours allowing the attackers to attack when it is less likely to be detected. Perhaps the biggest advantage is the number of potential endpoints that can be encrypted is increased drastically. This, in turn, means more time spent either recovering backups or decrypting the infected machine.

The report also illuminates upon which are the most prevalent ransomware strains seen infecting networks and PCs. That dubious honor was determined to be Sodinokibi and Ryuk. With regards to Sodinokibi, one of the driving forces behind it prevalence is that it is offered as a Ransomware-as-a-Service, rather than offering the service to whoever can pay the ransomware is offered to a select number of affiliates. In general, the affiliates often have specialized skills that allow them to attack specialized targets such as managed service providers (MSP). This has proved an effective way of targeting the MSP’s clients opening up entire networks to infection. Sodinokibi has also been one of the ransomware strains now demanding payment for not only the decrypting of data but also the release of data if payment is not made. Ryuk has constantly been a thorn in the side of enterprises and only slightly altered tactics, namely to go after ever-increasingly large companies in the hope of securing payment.

New York State looks to ban Ransomware Payments

The figures released by Coveware beg the question as to what companies and government organizations are doing to combat ransomware infections. In the US, New York State is looking to make it illegal for local municipalities and other government entities from using taxpayer money for paying ransomware demands. The first bill was proposed by Republican NY Senator Phil Boyle on January 14. The second bill was introduced by Democrat NY Senator David Carlucci, two days later, on January 16. The bills are the first of its kind and have raised the question as to how effective they will be at combatting ransomware.

In an interview with ZDNet, Bill Siegel, CEO, and co-founder of Coveware said,

“I do not think it will staunch attacks on NY based municipal organizations in the short term, it may even increase them as ransomware distributors may try to test the resolve of these organizations…If a state where to pass a bill making payment of ransoms unlawful, then two large issues should be heavily considered. 1) What happens if a NY based municipal hospital is attacked, and the downtime causes the loss of life that could have been avoided if they were allowed to pay? 2) Are the state's municipal organizations adequately staffed and budgeted with DR [disaster recovery] plans, backup systems, and security programs to effectively repel and recover from an attack without creating material interruption to civic operations?”

In this instance it will be a matter of time will tell if such legislation can prove effective at combatting ransomware by drying up a source of revenue. Hopefully, taxpayers’ money will go to better causes such as education and healthcare rather than line the pockets of cybercriminals.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal