Ransomware payments hit new records in 2021, finds study

The ransomware landscape will continue to evolve as threat actors leverage new techniques to halt business operations, finds Palo Alto Networks research

Ransomware payments hit new records in 2021 as cybercriminals increasingly turned to Dark Web "leak sites" where they pressured victims to pay up by threatening to release sensitive data, according to research released today from Unit 42 by Palo Alto Networks, the global cybersecurity leader.

The average ransom demand in cases worked by Unit 42 incident responders rose 144% in 2021 to US$2.2mn, while the average payment climbed 78% to $541,010, according to The 2022 Unit 42 Ransomware Threat Report

Ransomware attacks dominated the headlines around the world in 2021, and show no signs of slowing down. In fact, cybercriminals are doubling down by finding additional ways to extort victims in conjunction with ransomware. Double extortion first took off in 2020 with the rise of dark web leak sites that cybercriminals used to identify ransomware victims and threaten to leak sensitive corporate data. In 2021, ransomware gangs took these tactics to a new level, popularising multi-extortion techniques designed to heighten the cost and immediacy of the threat. 

The most affected industries were professional and legal services, construction, wholesale and retail, healthcare, and manufacturing.

Helping customers manage cyber risks

Palo Alto Networks, a global cybersecurity leader, provides visibility, trusted intelligence, automation, and flexibility that help complex organisations advance securely. Its mission is to be the cybersecurity partner of choice, protecting our digital way of life. 

Unit 42 brings together threat researchers with a team of incident responders and security consultants to create an intelligence-driven, response-ready organisation passionate about helping customers more proactively manage cyber risk. Unit 42 has expanded its scope to provide ‘state-of-the-art’ incident response and cyber risk management services.

Attackers are increasingly using anonymised services, which makes it more difficult for security researchers and law enforcement to track activities and identify indicators of compromise (IoCs) that can be used for network defences. 

Ransomware groups dominating the headlines

Recent headlines have been dominated by ransomware gangs such as Conti and REvil. These groups actively recruit affiliates (cybercriminals) to carry out their attacks. The Conti ransomware group was responsible for the most activity, accounting for more than 1 in 5 of cases worked by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, was No. 2  at 7.1%, followed by Hello Kitty and Phobos (4.8% each). Conti also posted the names of 511 organisations on its Dark Web leak site, the most of any group.

The report describes how the cyber extortion ecosystem grew in 2021, with the emergence of 35 new ransomware gangs. It documents how criminal enterprises invested windfall profits into creating easy-to-use tools in attacks that increasingly leverage zero-day vulnerabilities.

The number of victims whose data was posted on leak sites rose 85% in 2021, to 2,566 organisations, according to Unit 42's analysis. 60% of leak site victims were in the Americas, followed by 31% for Europe, the Middle East and Africa, and then 9% in the Asia-Pacific region.

As these ransomware gangs and ransomware-as-a-service (RaaS) operators find new ways to remove technical barriers and up the ante, ransomware will continue to challenge organisations of all sizes in 2022. As a result, ransomware has become one of the top threats in cybersecurity and a focus area for Palo Alto Networks. 


Featured Articles

BlueVoyant's Tom Moore Talks Legal Procedure Following Hack

BlueVoyant's Tom Moore explains how companies should act with legal council following a cyber attack

GDPR: Studying the World's Strictest Security Law 6 Years On

We take a look at the history, impact, and future of GDPR to see how it has effected the cyber sphere six years after its enactment

Banking Titan Baird Gives 9 Pointers for Cyber Investors

Investment bank Baird have made nine observations from RSA Conference that investors should consider when investing in today’s cyber market

OpenText's Pillr Buy Show Acquisitions Still in its Strategy

Cyber Security

Zoom Prepares for Quantum World with Post-Quantum Encryption

Cyber Security

Tenable: Security Expertise Gap Threatening Cloud Expansion

Operational Security