Dark Web leaks led to higher ransomware payments in 2021

News Desk -

Share

Ransomware payments reached new records in 2021 as criminals increasingly turned to Dark Web “leak sites” to extort money from victims by threatening to release sensitive data, according to research published by Unit 42 by Palo Alto Networks.

According to The 2022 Unit 42 Ransomware Threat Report, the average ransom demand in cases worked by Unit 42 incident responders increased 144% in 2021 to $2.2 million, while the average payment increased 78% to $541,010. Professional and legal services, construction, wholesale and retail, healthcare, and manufacturing were the industries most affected.

“In 2021, ransomware attacks interfered with everyday activities that people all over the world take for granted – everything from buying groceries, purchasing gasoline for our cars to calling 911 in the event of an emergency and obtaining medical care,” said Jen Miller-Osborn, deputy director, Unit 42 Threat Intelligence.

The Conti ransomware group was the most active, accounting for more than one-fifth of all cases handled by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, came in second with 7.1%, followed by Hello Kitty and Phobos (4.8% each). Conti’s Dark Web leak site also contained the names of 511 organizations, the most of any group.

The report details how the cyber extortion ecosystem expanded in 2021, with the appearance of 35 new ransomware gangs. It demonstrates how criminal enterprises used windfall profits to develop simple tools for use in attacks that increasingly rely on zero-day vulnerabilities.

The number of victims whose data was posted on leak sites rose 85% in 2021, to 2,566 organizations, according to Unit 42’s analysis. 60% of leak site victims were in the Americas, followed by 31% for Europe, the Middle East and Africa, and then 9% in the Asia-Pacific region.

The 2022 Unit 42 Ransomware Threat Report, which can be downloaded from the Palo Alto Networks website, contains detailed commentary, analysis, and breakdowns of activity by region, industry, and ransomware groups. 

The report’s summary is available on the Unit 42 blog.