The Increasing Costs of Ransomware

As discussed in a ZDNet article about an RSA Conference talk from an FBI special agent, $144.35 million was paid in Bitcoin to ransomware-dispensing thugs during the six-and-a-half years ended July 2019. Among the most lucrative ransomware variants were:

  • Ryuk, which was by far the most successful ransomware, generating an average of $3.05 million per month during the 20-month period ended October 2019. Ryuk is responsible for the ransomware attacks that affected the San Diego Union-Tribune, the City of New Orleans, and Lake City, Florida, among many others.
  • Crysis/Dharma, which generated $670,000 per month during the three-year period ended November 2019.
  • Bitpaymer, which generated $350,000 per month during the 23-month period ended September 2019.
  • SamSam, which generated $200,000 per month during the 34-month period ended November 2018.

Interestingly, more than 25 percent of the ransom that has been paid by victims has yet to be spent, still housed in Bitcoin wallets.

Also of interest is the fact that up to 80 percent of ransomware attacks began as brute-force attacks on the Remote Desktop Protocol (RDP), with the remainder of attacks starting as phishing exploits. This, despite the fact that while the typical RDP attack will last for an average of two to three days, only 0.8 percent of them — only one in 1,250 attacks — are actually successful according to Microsoft.

Here are a few steps to combat ransomware, or at least the majority of it’s impact:

  • Minimize use of RDP. A friend at church told me on Sunday that while he was at RSA, his newly-hired subordinate was implementing RDP on all of the corporate workstations despite being told not to do so. Don’t do it if you don’t have to.
  • Use robust passwords. As the FBI special agent noted in his RSA talk, “If you can tell your password to someone else in under 30 seconds, it’s probably not a secure password.”
  • Implement robust security technologies focused on detecting and remediating ransomware before it has a chance to take root.
  • Implement ransomware-resistant backups that will prevent thugs from encrypting backups along with your endpoints.
  • Monitor networks for anomalous behavior.
  • Train users not to click on unknown or suspicious links in emails and on the web.

Ransomware hit a high point in 2016, waned a bit in 2017 and 2018, and hit yet another high point in 2019. We anticipate that 2020 will set yet another high watermark for ransomware victimization.