Ransomware Demands, Payments Hit New High in 2021

Written by Edward Gately
March 24, 2022

Ransomware payments hit new records in 2021 as cybercriminals increasingly pressured victims to pay up by threatening to release sensitive data online, according to new research from Unit 42 by Palo Alto Networks.

The average ransom demand in cases worked by the Unit 42 security consultants rose 144% in 2021 to $2.2 million. The average payment climbed 78%, to $541,010.

Ryan Olson is vice president of threat intelligence at Unit 42.

“Ransomware actors have focused a significant amount of energy on multi-extortion tactics over the past year,” he said. “Unit 42 has seen at least 35 new ransomware gangs threaten to expose data or utilized leak sites in 2021. In 2021, names and proof of compromise for 2,566 victims were publicly posted on ransomware leak sites, which marked an 85% increase compared to 2020.”

When an organization’s information is leaked, it creates a costly and time-intensive process for them, Olson said. It can also have an impact on their reputation as well.

“This is why ransomware actors use this tactic – it increases the return on investment (ROI) and possibility that they might get paid,” he said. “These tactics pressure victims to pay the ransom fast, as well as make it so that offline backups aren’t enough for organizations. It used to be that if organizations had and tested offline backups, it was enough to recover from a ransomware attack. With multi-extortion, it makes those backups almost useless. We have seen numerous types of data leaked from organizations, including intellectual property, contracts, internal communications and more.”

The Conti ransomware group was responsible for the most activity, accounting for more than one in five cases worked by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, was No. 2 at 7.1%, followed by Hello Kitty and Phobos, at 4.8% each. Conti also posted the names of 511 organizations on its dark web leak site, the most of any group.

The number of victims whose data was posted on leak sites rose 85% in 2021 to 2,566 organizations, according to Unit 42’s analysis. Sixty percent of leak site victims were in the Americas, followed by 31% for EMEA and then 9% in the Asia-Pacific region.

The most affected industries were professional and legal services, construction, wholesale and retail, health care and manufacturing.

“We anticipate that 2022 will continue to see ransomware actors innovate and succeed while they seek new ways to extort victims and get paid,” Olson said. “We’ll continue to see – and have – efforts of multi-extortion pay off. We’ll see actors operate affiliate models with ransomware as a service, and we’ll likely see ransomware actors leverage zero days and reported common vulnerabilities and exposures (CVEs) to exploit and gain an initial foothold in an organization.”

Tags:

Edward Gately

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.