April 23, 2024
Discover how ransomware simulations and developing an incident response plan can help mitigate the disruption of a ransomware attack.
Victims of ransomware attacks are less likely to pay cybercriminals to release the encrypted or stolen data. This is according to Coveware research in a quarterly report.
The researchers state that in the first quarter of 2024, 28 percent of companies affected by ransomware paid the requested ransom, compared to 29 percent in the last quarter of 2023.
Companies are paying less because they protect themselves more against these attacks. They are also increasingly able to perform recovery operations themselves and, consequently, are less dependent on a decryption key.
In addition, companies are increasingly being legally forced not to give in to ransomware criminals. For example, the state of Florida in the U.S. prohibits responding to ransomware attacks, as does Australia.
Furthermore, companies often do not pay because cybercriminals don’t keep their end of the agreement anyway. For example, they publish or otherwise trade the stolen data after payment despite promising not to do so.
The average ransom price in the past first quarter was $382,000 (358,000 euros), down 32 percent from the previous quarter. However, the median was 25 percent higher at $250,000.
According to the Coveware research, part of the reason the average ransomware ransom price is falling is because criminals recognise they no longer can charge astronomical sums that companies cannot cough up anyway. As a result, criminals are now switching more frequently to asking for more reasonable ransom amounts.
The study states that the drop in ransom prices could be due to fewer ‘high-value’ targets willing to be extorted and, therefore, pay ransoms.
The researchers state that ransomware is still a significant threat and that more than $1.1 billion in ransoms was still paid last year.
Read more: Ransomware payments reach record high: more than 1 billion euros
Coveware also examined the most popular perpetrators of ransomware attacks in the first quarter of this year. The Akira group was the top perpetrator, followed by Black Basta and LockBit 3.0 in joint second place. LockBit 3.0 took a…
Sophos, a global leader of innovative security solutions that defeat cyberattacks, recently released a new report titled, “‘Junk Gun’ Ransomware: Peashooters Can Still Pack a Punch,” which offers new insights into an emergent threat in the ransomware landscape.
Since June 2023, Sophos X-Ops has discovered 19 ‘junk gun’ ransomware variants—cheap, independently produced and crudely constructed ransomware variants—on the dark web, reads a press release.
The developers of these junk gun variants are attempting to disrupt the traditional affiliate-based ransomware-as-a-service (RaaS) model that has dominated the ransomware racket for nearly a decade.
Instead of selling or buying ransomware to or as an affiliate, attackers are creating and selling unsophisticated ransomware variants for a one-time cost—which other attackers sometimes see as an opportunity to target small and medium-sized businesses (SMBs), and even individuals.
As noted in the Sophos report, the median price for these junk-gun ransomware variants on the dark web was $375, significantly cheaper than some kits for RaaS affiliates, which can cost more than $1,000. The report indicates that cyber attackers have deployed four of these variants in attacks. While the capabilities of junk-gun ransomware vary widely, their biggest selling points are that the ransomware requires little or no supporting infrastructure to operate, and the users aren’t obligated to share their profits with the creators.
Junk gun ransomware discussions are taking place primarily on English-speaking dark web forums aimed at lower-tier criminals, rather than well-established Russian-speaking forums frequented by prominent attacker groups. These new variants offer an attractive way for newer cybercriminals to get started in the ransomware world, and, alongside the advertisements for these cheap ransomware variants, are numerous posts requesting advice and tutorials on how to get started.
To learn more about junk gun ransomware and the latest change in the ransomware ecosystem, read “Junk Gun Ransomware: Peashooters Can Still Pack a Punch” on Sophos.com.
The Cybersecurity and Infrastructure Security Agency and its U.S. and international partners have released a joint cybersecurity advisory, or CSA, warning organizations against the Akira ransomware that has targeted critical infrastructure entities in North America, Europe and Australia.
The CSA outlines known tactics, techniques and procedures used by Akira ransomware operators and indicators of compromise to help organizations respond to ransomware attacks, CISA said Thursday.
According to the advisory, Akira threat actors have deployed a Linux variant targeting VMware ESXi virtual machines after initially focusing on Windows systems.
As of January, the ransomware group has targeted more than 250 organizations and gained approximately $42 million in ransomware proceeds.
In August 2023, Akira attacks started using Megazord, using Rust-based code, and Akira ransomware written in C++ and encrypted files.
CISA and its partners encourage organizations to implement the mitigations outlined in the CSA to reduce the impact of Akira ransomware attacks.
