author photo
By Bruce Sussman
Mon | Jan 27, 2020 | 12:37 PM PST

"On planet cybersecurity, there is new weather every quarter. But the old weather never goes away."

That's what Jason Witty told me during our interview at SecureWorld back  when he was the CISO of U.S. Bank.

And his assessment just rang true once again when looking at ransomware  in the fourth quarter of 2019.

For example, a company sued John Doe for a ransomware attack.

And doctors started quitting after ransomware attacks.

One company handed out cruises to top sellers and then closed its doors the following week because of ransomware.

Ransomware also went "nuclear" by encrypting files but also stealing them and threatening to publicly expose them. 

These types of things are giving ransomware operators leverage, and that is being reflected in the price of ransoms being paid.

Ransomware ransom payments double

According to the Coveware ransomware marketplace report, in Q4 of 2019, the average ransom payment increased by 104% to $84,116. This was up from an average of $41,198 in Q3 of 2019.

Those numbers are increasing in part because of the ransom demands and payments from large and complex organizations.

"Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout. For instance, Ryuk ransom payments reached a new high of $780,000 for impacted enterprises."

Will enterprise organizations pay a six-figure ransom?

If it seems unbelievable that organizations would consider a six-figure ransom to hackers, the research points out what is shifting in the ransomware climate to make that option more attractive.

Paying the ransom may be the least of an organization's concerns and may limit the material impact of ransomware:

"Financial costs include the ransom payment if one is made, and the costs to remediation of a network and its hardware. Costs also include lost revenue and potential brand damage if business interruption is severe enough.

In Q4, ransomware actors also began exfiltrating data from victims and threatening its release if the ransom was not paid. In addition to remediation and containment costs, this new complication brings forth the potential costs of 3rd party claims as a result of the data breach."

It wasn't just the enterprise organizations paying up, however. These same considerations weigh on the minds of smaller organizations. Researchers say ransomware-as-a-service variants such as Dharma, Snatch, and Netwalker are hitting these organizations with a high number of attacks, demanding as little as $1,500.

Would you pay $1,500 if it could keep your organization from going out of business like some have?

Should ransomware payments be banned?

Ransomware payments are polarizing. Some have called paying them downright un-American. 

The CEO of a sewer and water authority made a bold statement about this on Facebook, after being hit with Ryuk ransomware:

"Do you bow your head, weakly, and say we'll pay you and risk another attack? Or do you look 'em in the eye and say we're Americans, we're North Carolinians, and by golly, we'll survive this too. That's what we say. That's what we're telling the cybercriminals and the world."

But that's not the message cities in Florida sent hackers when they paid more than $1 million in ransoms in a matter of weeks—earning Florida a new nickname: the ransomware state.

Payments from cities, school districts, and municipalities across North America have caught the eye of legislators in the State of New York. They introduced new legislation to ban tax dollars from being used to pay a cyber ransom.

The most recent bill on this topic is Senate Bill S7289, and it reads, in part: 

"No municipal corporation or other government entity shall pay ransom in the event of a cyber-attack against such municipal corporation or such government entity." 

The bill's impetus was a Christmas week ransomware attack at the Albany County Airport Authority in New York. The airport paid an "under six-figure ransom" to attackers to recover systems during a busy travel week.

Is having ransomware on your device a crime?

This legislation comes on the heels of proposed legislation in Maryland which would make it a crime to possess ransomware with ill intent

Believe it or not, in most states, this is still legal.

Planet ransomware: the weather is always changing

This brings us full circle to where we started. It brings us right back to CISO Jason Witty's assessment:

"On planet cybersecurity, there is new weather every quarter. But the old weather never goes away."

Boy, has he turned out to be right!