By Ryan Olson, Vice President, Threat Intelligence (Unit 42), Palo Alto Networks
As we publish our 2022 Unit 42 Ransomware Threat Report, we’re once again reporting that payments hit new records as cybercriminals increasingly turned to dark web “leak sites” where they pressured victims to pay up by threatening to release sensitive data.
A year ago, Unit 42 released its 2021 Unit 42 Ransomware Threat Report, which documented how cybercriminals had used the windfall profits generated from cyber extortion to transform themselves into massive criminal enterprises, some with near-nation state cyber capabilities. We warned that cyber extortion had reached crisis levels due to the wild success of a criminal business model known as ransomware as a service (RaaS).
The average ransom demand in cases worked by Palo Alto Networks Unit 42 security consultants rose 144% in 2021 to $2.2 million, while the average payment climbed 78% to $541,010.
Figure 1. Average ransom demands compared to average ransom payments in 2020 and 2021, according to Unit 42 incident response data.
The Conti ransomware group was responsible for the most activity, accounting for more than 1 in 5 cases worked by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, was No. 2 at 7.1%, followed by Hello Kitty and Phobos (4.8% each).
Figure 2. Top 14 most active ransomware variants in 2021 – according to Unit 42 incident response data.
For years, the main threat from ransomware has been that it would encrypt data on computers, making it impossible for organizations to use them to manage operations and retrieve critical information. That approach continued last year in some high-profile attacks that interfered with everyday activities that people all over the world take for granted – everything from buying groceries and purchasing gasoline for our cars to calling for emergency services and obtaining medical care.
But threat actors have evolved their techniques in recent years to include additional ways to coerce their victims into paying ransoms.
For example, in addition to holding data and access hostage, some ransomware groups engage in double extortion by using dark web leak sites to threaten to release sensitive information to the public. Some groups engage in further pressure tactics – they harass customers, bring down external websites or cause other harm.
That trend, known as multi-extortion, surged in 2021. The number of victims whose data was posted on those leak sites rose 85% in 2021 to 2,566 organizations, according to Unit 42’s analysis. 60% of leak site victims were in the Americas, followed by 31% for Europe, the Middle East and Africa, and then 9% in the Asia Pacific region. The most affected industries were Professional and Legal Services, Construction, Wholesale and Retail, Healthcare, and Manufacturing.
