Coveware’s 2018 Q4 Ransomware Marketplace Report

by Alex Holdtman on January 22, 2019

Coveware’s 2018 Q4 Ransomware Report

Today we released our Q4 Global Ransomware Marketplace Report. In this report, we aggregated data points collected from cases handled during the prior quarter and highlight the trends we have observed. We released this information believing that aggregating hard data points from ransomware incidents will shine a light on how these attacks occur and prevent future attacks. Anonymized segments of our data are routinely provided to law enforcement agencies to augment efforts to identify and apprehend perpetrators of attacks. Additionally, we are excited to share our data with the No More Ransomware organization and its diverse group of contributing partner organizations. Below are some key trends we observed in Q4 of 2018.

Securing Remote Access Has Never Been More Important

Ransomware distributors shifted away from malicious email attachments and now overwhelmingly exploit RDP as the preferred attack vector. A typical ransomware campaign exploits RDP for initial access and then gains elevated credentials to move laterally within a network. The attacker typically used these credentials to wipe backups before planting ransomware on critical machines. 85% of ransomware attacks in Q4 exploited RDP as the primary attack vector. We expect this trend to hold as long as companies continue to have poorly secured RDP access.

Ransomware is Targeting Backups at an Alarming Rate

75% of our Q4 ransomware cases involved the wiping or encryption of primary and secondary backups (up from 54% in Q3). Backup systems that are non-partitioned, not protected by 2FA, or not air gapped from the network are low hanging fruit to an attacker with administrative credentials. The security necessary to defend against these types of attacks is increasingly sophisticated and is putting pressure on small businesses to invest in a comprehensive but prudent solution that includes endpoint, AV, ‘least privilege access’ and properly partitioned backups.

Ransomware is Targeting Larger Organizations in the Services Industries

Professional service organizations, such as regional law firms and CPA firms, are under increasing attack from ransomware. The average victim company size increased from 38 to 71 employees in Q4. On average these firms incurred over 6 days of complete or partial downtime. Mid-market companies, especially those in low gross margin industries, such as IT hosting or freight and logistics, are at grave risk of existentially risky downtime if they sustain an attack that causes customer level service interruption.

Popular Ransomware Types Remain, Ryuk and Bitpaymer are Traveling Down Market

For the second quarter in a row, Dharma remained the most common type of ransomware. Other widely distributed types of ransomware such as GandCrab and Globelmposter were also prevalent, but headlines were made as Ryuk and Bitpaymer began showing up in small business attacks. The appearance of these two very expensive types of ransomware down market is evidence that these strains are being more broadly distributed by the same groups that utilize other types of ransomware.