Ransomware payments hit new records in 2021, finds study

The ransomware landscape will continue to evolve as threat actors leverage new techniques to halt business operations, finds Palo Alto Networks research

Ransomware payments hit new records in 2021 as cybercriminals increasingly turned to Dark Web "leak sites" where they pressured victims to pay up by threatening to release sensitive data, according to research released today from Unit 42 by Palo Alto Networks, the global cybersecurity leader.

The average ransom demand in cases worked by Unit 42 incident responders rose 144% in 2021 to US$2.2mn, while the average payment climbed 78% to $541,010, according to The 2022 Unit 42 Ransomware Threat Report

Ransomware attacks dominated the headlines around the world in 2021, and show no signs of slowing down. In fact, cybercriminals are doubling down by finding additional ways to extort victims in conjunction with ransomware. Double extortion first took off in 2020 with the rise of dark web leak sites that cybercriminals used to identify ransomware victims and threaten to leak sensitive corporate data. In 2021, ransomware gangs took these tactics to a new level, popularising multi-extortion techniques designed to heighten the cost and immediacy of the threat. 

The most affected industries were professional and legal services, construction, wholesale and retail, healthcare, and manufacturing.

Helping customers manage cyber risks

Palo Alto Networks, a global cybersecurity leader, provides visibility, trusted intelligence, automation, and flexibility that help complex organisations advance securely. Its mission is to be the cybersecurity partner of choice, protecting our digital way of life. 

Unit 42 brings together threat researchers with a team of incident responders and security consultants to create an intelligence-driven, response-ready organisation passionate about helping customers more proactively manage cyber risk. Unit 42 has expanded its scope to provide ‘state-of-the-art’ incident response and cyber risk management services.

Attackers are increasingly using anonymised services, which makes it more difficult for security researchers and law enforcement to track activities and identify indicators of compromise (IoCs) that can be used for network defences. 

Ransomware groups dominating the headlines

Recent headlines have been dominated by ransomware gangs such as Conti and REvil. These groups actively recruit affiliates (cybercriminals) to carry out their attacks. The Conti ransomware group was responsible for the most activity, accounting for more than 1 in 5 of cases worked by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, was No. 2  at 7.1%, followed by Hello Kitty and Phobos (4.8% each). Conti also posted the names of 511 organisations on its Dark Web leak site, the most of any group.

The report describes how the cyber extortion ecosystem grew in 2021, with the emergence of 35 new ransomware gangs. It documents how criminal enterprises invested windfall profits into creating easy-to-use tools in attacks that increasingly leverage zero-day vulnerabilities.

The number of victims whose data was posted on leak sites rose 85% in 2021, to 2,566 organisations, according to Unit 42's analysis. 60% of leak site victims were in the Americas, followed by 31% for Europe, the Middle East and Africa, and then 9% in the Asia-Pacific region.

As these ransomware gangs and ransomware-as-a-service (RaaS) operators find new ways to remove technical barriers and up the ante, ransomware will continue to challenge organisations of all sizes in 2022. As a result, ransomware has become one of the top threats in cybersecurity and a focus area for Palo Alto Networks. 

Share

Featured Articles

Bridging the Gap: Examining the UK-US Data Bridge

The UK-US Data Bridge was created to replace EU data frameworks and allow the exchange of personal data whilst still adhering to agreed rules

Hiddenlayer CSO Tells Why It Made an AI Security Council

Chief Security & Trust Officer at HiddenLayer Malcolm Harkins explains why the company felt the need to create an AI Security Council and its objectives

Cooperation Key Theme at Microsoft Endpoint Security Summit

The Microsoft Endpoint Security Summit brought together leaders in the cybersecurity industry to discuss strategies for securing endpoints on Windows

Why the UK is Listing Data Centres as Critical Cyber Assets

Cyber Security

Trustwave Reveals the Financial Sector's Cyber Threats

Cyber Security

TCS and Google Cloud Join for Solution to Secure the Cloud

Technology & AI