Ransomware attackers increasingly leaking stolen data, even if breached companies pay up


Cybersecurity company Coveware’s 3Q20 Ransomware report highlights an increasing trend of attackers failing to follow through on promises to delete stolen data when breached companies pay the demanded ransom. Ransomware groups including Sodinokibi, Maze/Sehhmet/Egregor, Netwalker and Mespinoza have leaked data following company payments, or demanded a second payment from companies even after they complied with the initial demand.

Other key findings include:

  • Close to 50% of ransomware attacks included the threat to publicly release the exfiltrated data. This is an evolution in tactics from earlier forms of ransomware, in which attackers would encrypt data and demand payment to provide the decryption key.
  • The average ransomware payment increased by 31% in 3Q20 from 2Q20 as attackers are going after larger companies than before, as they have learned that big companies are just as vulnerable as medium sized companies, and their tactics do not need to be adjusted very much depending on the target’s size.
  • Remote Desktop Protocol (RDP) compromise continues to account for the majority of attack vectors for companies with fewer than 25,000 employees, while email phishing accounts for most of the breaches of companies with more than 25,000 employees.
  • Software vulnerabilities account for less than 10% of attack vectors.
  • The average ransomware attack in 3Q20 resulted in 19 days of downtime for the victim company, up 19% from 2Q20



These findings suggest that C-Suites that think they can pay their way out of a breach and prevent it from becoming public should re-think that assumption. This provides further justification to invest in cyber in a way that lowers the probability of such a breach in the first place.

The increase in average downtime following a ransomware attack is one reason attacks are becoming more costly and is a product of the increased digitization of operations. Downtime inflicts enormous financial damage to companies many multiples higher than ransomware headline costs—such as the direct cost of any ransom paid and software/hardware repairs—indicate.

The attack vector data also reinforces Cyberhedge findings that most companies can most improve their cyber security, and most reduce their risk of a breach, by following simple but effective approaches. Regular training of all staff in cyber hygiene to reduce the probability of a successful email breach, and regular patching cadences to keep software up to date can reduce the likelihood of a breach. Just like other businesses, cyber criminals engage in risk/reward calculations and try to maximize their financial return with the least amount of effort. They experience much greater success attacking well known vulnerabilities than they do trying to find zero-day exploits to attack. Enterprises that do a poor job managing their security stacks offer a much softer target for attackers to exploit. This explains some of the material and consistent difference in performance between companies that are highly ranked in cyber governance vs those that are poorly ranked.

We use cookies to make our website more user-friendly and effective

The Cyberhedge Indices Cookie Policy

What are the Cyberhedge Cyber Governance Indices?

These first ever benchmarks prove good cyber governance matters to shareholder value. They measure stock market performance of companies with good and with bad cyber governance scores. Scores are based on Cyberhedge’s proprietary cyber governance rating methodology. Market performance is tracked by an independent firm. The results show that companies with good cyber governance outperform their peers in US, UK, and EU markets.

Information that we collect

Here you can see and customize the information that we collect about you. To learn more, please read our privacy policy

Continue on website