When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
At SpearTip, along with the incident response industry, we experienced, for the first time in two years, a decline in average ransomware payments in Q4 of 2020 by nearly $100,000. Anyone paying close attention to the ransomware threat landscape throughout the year would have noticed the increase in payments, so what factors contributed to this Q4 decline after almost a year of steadily increasing ransomware payments?
SpearTip’s cyber experts observed the stable growth of average ransomware payments for the first three quarters of 2020. As victims kept paying, threat actors upped the ante. The main factor attributed to the decline in security engineers’ experience in dealing with double extortion. Maze ransomware was the first group to implement double extortion in 2019, and other groups who adopted the method did not always pull it off correctly.
It’s important to realize when dealing with a threat actor, you are dealing with someone whose commitments should not be trusted. When data is exfiltrated, most ransomware groups communicate to victims that it will be returned and destroyed after ransomware payments are exchanged. This is done to incentivize the victim to pay but problems have risen when threat actors are found to have not destroyed the data. Instead in some cases, threat actors collect the ransom, promise not to publish the data, and promptly leak the data on their blog sites.
Another factor that may have played a part in this decline is the news of a major ransomware gang, NetWalker, losing their dark web leak site to law enforcement. Although we learned of this news in late January, it’s likely the site has been revoked for weeks.
Security firms like SpearTip will guide ransomware victims in the right direction during these negotiations. In some cases, there are options for avoiding payments that an internal team may not be aware of. Our engineers negotiate with threat actors regularly and exhaust every option possible before paying the ransom during an incident which we view as a final choice to recover your data. If your organization has secure backups and the ability to recover after a breach, you’ll be less inclined to make a ransom payment or endure business disruption.
A firm that specializes in executing ransom payments, Coveware, recently published a report on ransomware in Q4 of 2020. Within it, they explain how the decline in payments stems from companies not giving in to the double extortion methods based on the likelihood their data is already published publicly or has been erased completely.
The average ransom request was becoming incredibly costly and the trust in threat actors diminished, so the option of not paying became a better choice. This is likely why we’ve seen this sharp drop in the average ransomware payment. According to Coveware’s report, payments dropped 34% in Q4 2020 from Q3 2020.
We offer Incident Response services, but ideally, the response wouldn’t be needed if you’re appropriately secured beforehand. Our Endpoint Detection and Response (EDR) tool, ShadowSpear®, is a great step to avoid a ransomware attack and can be specifically tailored to suit your organization.
The three modules that make up ShadowSpear® all serve a critical purpose in your endpoint protection. Identify provides enhanced visibility across your entire information security environment, Neutralize provides instant protection against advanced malware threats including authorized remote access and ransomware, and Counter gives our 24-hour Security Operations Center and internal team the ability to immediately react to malicious activity on an endpoint. Utilizing this tool is how you’ll truly outmaneuver your adversaries.
In most cases where ransomware attacks disrupted business operations and ransomware payments were made, organizations were not prepared. A saying widely used in the cybersecurity industry is “not if, but when”, so being properly prepared to defend against cyber threats is crucial for the success of your organization and profit maximization.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
Law enforcement agencies have achieved success in targeting and apprehending ransomware operators through a combination of international cooperation, improved intelligence sharing, and dedicated cybercrime units. These agencies often collaborate with private cybersecurity firms and utilize sophisticated digital forensic techniques to trace the flow of ransom payments, identify the perpetrators, and initiate legal actions against them.
Organizations are adopting various strategies and technologies to enhance their cybersecurity defenses against ransomware attacks. These include regular employee training on phishing and social engineering awareness, implementing multi-factor authentication, employing advanced endpoint protection solutions, conducting regular vulnerability assessments and penetration testing, implementing network segmentation, and regularly backing up critical data offline or to secure cloud storage. Additionally, many organizations are investing in threat intelligence services and partnering with cybersecurity firms to continuously monitor and respond to emerging threats.
The ransomware landscape is continually evolving, and several emerging trends and tactics have the potential to impact the decline in average ransomware payments. These include the rise of double extortion attacks, where threat actors not only encrypt data but also steal sensitive information to pressure victims into paying, as well as the increasing targeting of specific industries or critical infrastructure. Additionally, the use of decentralized or anonymized cryptocurrencies for ransom payments and the availability of ransomware-as-a-service (RaaS) platforms contribute to the complexity of the threat landscape. Continuous monitoring of these trends is crucial to stay ahead of evolving ransomware tactics.
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.