By Aaron Riley, Cofense Intelligence

Cofense IntelligenceTM assesses that enterprise-targeted ransomware campaigns will most likely increase in 2020, based on attack and ransom payment trends over the last six months. In the latter half of 2019, ransomware campaigns escalated in targeting public organizations. These attacks were frequently debilitating to an impacted organization’s ability to operate and provide services and, in some cases, resulted in a data breach.

Interestingly, victims are opting to pay the ransom more often. The cost of data recovery, reputation salvaging, and business impact often outweigh the payment itself. Further, those victims with insurance are paying at their insurer’s recommendation, often with the insurance companies covering a good deal of the cost. With enterprise ransomware campaigns becoming more lucrative for the operators, Cofense Intelligence predicts a surge this year.

In the second half of 2019, ransomware campaigns targeted different types of organizations, including schools, governments, and hospitals. Most of the victims offer public services that were disrupted or severely damaged. The Flagstaff Arizona school district suffered a ransomware attack that reportedly closed the entire school district for two days before services were recovered. Johannesburg, South Africa, was attacked in October 2019 and held hostage for $30,000—the third ransomware attack the city government suffered last year. Ransomware attacks in December 2019 targeted the Oahu Cancer Center in Hawaii and disrupted patient care, including the ability to administer radiation treatment. The victims of these attacks are finding it preferable to pay the ransom than to deal with the aftermath of data and system loss. Unfortunately, this emboldens future attacks and creates more targets.

We are now seeing ransomware campaigns that include data breaches and exfiltration. Last year, a number of victims of Maze ransomware, a few companies and one Florida city, did not immediately pay up and learned the hard way that a data breach had also ensued. Maze operators exfiltrated data in the course of their attack and released stolen documents, further extorting their victims to pay up and threatening that failure to do so would mean the release of more sensitive information. These ransomware campaigns demanded up to six million dollars in exchange for the decrypted files and used the exfiltrated data as leverage to collect payment. The Maze ransomware operators allegedly exfiltrated around 120GB of data from Southwire during another ransomware attack.

The United States federal government advises organizations not to pay a ransom, as it only encourages further attacks and there is no guarantee the captured resources will be returned in their original form. However, victims are increasingly paying the ransom, as can be seen in the latter half of 2019. These payments are typically made with a type of cryptocurrency chosen by the ransomware operators. Jackson County, Georgia paid $400,000 after a Ryuk ransomware attack majorly disrupted workflow to all county agencies, including the 911 dispatch center. Jackson County did not have cybersecurity insurance and had to pay the ransom outright, which means the citizens of the county had to subsidize the payment.

Cybersecurity insurance firms are increasingly encouraging their customers to pay the ransom, instead of rebuilding or outright losing resources that are encrypted. Ryuk ransomware impacted Lake City, Florida in late June 2019, during which authorities found that restoring the systems would exceed a million dollars compared to the $700,000 ransom. The Lake City authorities then negotiated through a third-party to pay the attackers $460,000, of which the city’s cybersecurity insurance firm reportedly funded $450,000. In this scenario, Lake City authorities were able to pay $10,000 and have their systems back up within two weeks. This proves, yet again, that targeted enterprise ransomware attacks are increasingly profitable.

With their profits rising, ransomware operators will likely increase their campaign volume in 2020. The success of ransomware campaigns may encourage the creation of additional ransomware families, requiring global organizations to evolve their cybersecurity posture. With the End of Life of Microsoft’s Windows 7, organizations that are slow in their transition to supported operating systems become more susceptible to such attacks.

We expect other trends to follow in line with our ransomware predictions for 2020. More cybersecurity firms might be utilized as a third-party negotiator for payments. Stolen data can be used in different ways—not just taken hostage—to leverage more money from the victims, especially if unsavory information is exfiltrated. More and more enterprise organizations are expected to include cybersecurity insurance within their yearly budgets. In short, it appears more companies are making business decisions that demonstrate an understanding of the likelihood of ransomware attacks. While it is good to be prepared, feeding the beast of ransomware will fuel cybercriminals looking to make big bucks.



Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.