Cybersecurity firm Crypsis Group has published findings showing massive growth in the sums of cryptocurrency demanded by ransomware attackers from 2018 to 2019. Due to their largely untraceable natures, cryptocurrencies tend to be a favorite method of payment among ransomware attackers.

The Most Diverse Audience to Date at FMLS 2020 – Where Finance Meets Innovation

Indeed, according to the company’s 2020 Incident Response and Data Breach Report, amounts have grown to the tune of roughly 200%–in 2019, the average ransomware demand was an eye-popping $115,123. If the trend from 2018 to 2019 continues, the average demand in 2020 could be as much as $230,000.

Surpass your #cybersecurity goals and show #cyberthreats the door! Download our 2020 #IncidentResponse and #DataBreach Report to get detailed intel on threats, organizational gaps, and Crypsis Pro Tips for 2020. https://t.co/mZiGulzY11 pic.twitter.com/dWnQq7m6nE

— The Crypsis Group (@CrypsisGroup) June 5, 2020

A shift toward larger victims with “deeper pockets”

Crypsis says that one of the reasons that the sum has risen so much is that ransomware attackers are shifting their focus towards larger entities.

Instead of targeting individuals for pithy sums of a few thousand dollars apiece, ransomware attackers are increasingly focused on larger prey: more and more of their victims are enterprises.

Indeed, “since 2018, threat actors have evolved from deploying mass-distributed phishing campaigns with lower ransom demands to highly-targeted, well-researched attacks on larger enterprises with deeper pockets,” Crypsis’ report explained.

Specifically, Crypsis found that the Healthcare sector was “the most affected” by ransomware attacks–22% of Crypsis’ 2019 ransomware matters had to do with healthcare companies; the manufacturing sector came in second, with 13%.

As security measures have improved, attackers’ tactics have gotten more severe

The 200% increase in ransom demands by ransomware providers could be representative of the fact that fewer victims are willing to pay up now than in the past—in other words, since fewer victims are willing to pay attackers, attackers have increased their fees, hoping to net a larger gain when a victim does actually pay up.

Additionally, as enterprises have continued to bolster their security measures, ransomware attackers have upped the anti: “more incidents have included the deletion or disablement of backups, as well as the threat of releasing sensitive data publicly,” Crypsis reported. “The threat actor group known for deploying ‘The Maze’ ransomware is leading the way in extortionate tactics, but others are getting into the game.”

Crypsis said that this change in tactics could “represent a tactical shift in response to stronger enterprise security defenses and an associated reduction in organizations’ willingness to pay.”

Ransomware attackers are also exploring other tactics, including the exploitation of the desperation of victims of other ransomware: per Bleeping Computer and Michael Gillespie, Finance Magnates recently reported that ‘Zorab’, a new kind of ransomware, poses as a decryption tool for victims of ransomware encryption attacks, leaving victims with doubly-encrypted files.

“We absolutely do not care about you and your deals, except getting benefits,” a ransom note from the creators of the ransomware reads.