WHY INCIDENTS OCCUR


The Scourge of Ransomware

Ransomware matters surged in 2019, with the primary tactic being to encrypt as many devices in the network as possible simultaneously. Then the Maze group changed tactics in late 2019 – it began stealing data before encrypting data. This gave the group two pressure points and caused companies to pay ransoms, even when they restored using backups, in order to prevent disclosure of stolen data. It did not take long for dozens of other threat actors to adopt this tactic. And like a gambler using a large stack of chips to buy the pot, these groups were emboldened by their wins to increase their initial demands, sometimes by tens of millions of dollars.

In October 2020, the Department of the Treasury issued an alert reminding companies to address sanctions obligations before making ransom payments. The alert caused confusion and added more hurdles (e.g., subjective requirements demanded by a company’s bank before it would wire money to the payment facilitator).

75%

threat actor groups/variants (15 in 2019)


Clop Netwalker Conti Ryuk Pysa

$65+ million

Largest ransom demand in 2020 (2019 was $18 million)

$15+ million

Largest ransom paid in 2020 (2019 was $5+ million)

$794,620

Average ransom payment amount (2019 average was $303,539)

0%

encryption key received after payment made


0%

payment made by third party for the affected organization

67%

of the time an organization was able to partially or fully restore from backup without paying ransom


70%

of ransom notes contained claim of theft of data before encryption


90%

found evidence of data exfiltration when there was a claim of data theft in the ransom note


25%

involved theft of data resulting in notice to individuals


20%

of matters involved a payment to a threat actor group even though the organization had fully restored from backup

8

Days


From demand to payment (median: 5)

9.2

Days


From demand to payment for payments over $1 million

7.4

Days


From demand to payment for payments $200,000-$1 million

1.3

Days


From encryption to restoration (median: 10)

Healthcare

$910,335

Manufacturing

$1,403,876

Financial Services

$1,360,833

Hospitality

$642,588

Email account compromises to facilitate wire transfer fraud (BECs) are still happening

$26 million

In wire transfers resulting from a BEC

$6 million

Largest wire transfer

$453,468

Average wire transfer

$758,365

Average recovery

28%

Matters that had recovered funds totaling over $12 million

Share this page