Ransomware demands and payments reach new highs

0 Comments

As cybercriminals have become more aggressive, the average ransom payment in the first half of 2021 jumped to $570,000, up 82% from 2020, says Palo Alto Networks’ Unit 42.

Ransomware concept

Image: Rzt_Moster/Shutterstock

Ransomware has evolved into one of the most destructive and damaging forms of cyberattack, resulting in huge financial losses for victimized organizations. And as cybercriminals have gotten bolder and greedier, their ransom demands have skyrocketed. A report released Monday by Palo Alto Networks’ threat intelligence team, Unit 42, looks at how and why ransomware prices have soared over the past year.

SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)

More about cybersecurity

Ransomware prices

There’s typically a difference between ransom demands and actual payments. A cybercriminal or gang may start off by demanding an exorbitant amount of money from a victim but eventually settle for less following negotiations and other factors.

Looking at the initial ransom demands handled by Unit 42 in the first half of 2021, the average was $5.3 million, a jump of 518% from the 2020 average of $847,000. The highest demand seen over the same period of time was $50 million, up from $30 million last year.

The average actual ransom payment reviewed by Unit 42 in the first half of this year reached a record $570,000, an increase of 82% from last year. This jump came on top of a 171% surge to $312,000 in 2020 compared with 2019.

The numbers have been even higher among some prominent ransomware cases that have recently hit the news.

Following an attack against IT enterprise firm Kaseya, ransomware group REvil said it wanted $70 million worth of bitcoin in exchange for a universal decryptor that would allow all affected companies to recover their files. The group quickly lowered its asking price to $50 million. Kaseya did ultimately obtain a decryption key but said that it came from a trusted source.

The largest confirmed payment so far this year was the $11 million that meat processing company JBS Foods shelled out after an attack by REvil. This beat the largest payment of $10 million seen by Unit 42 last year.

Why prices are rising

Why have ransom demands and payments gotten higher? One trigger cited by Unit 42 is the quadruple extortion tactic. Criminals now typically use as many as four different techniques to squeeze victims into paying the ransom.

  1. Encryption. In this stage, victimized organizations pay the attackers to decrypt the encrypted data from their compromised computer systems.
  2. Release of data. In this stage, the attackers vow to publicly release the sensitive data unless the ransom is paid. As such, the organization is forced to pay the ransom even if it has backups of the encrypted files.
  3. Denial of service attacks. In this scenario, the criminals launch denial of service attacks to shut down a victim’s public websites until the ransom is paid.
  4. Harassment. And in this stage, the attackers contact customers, business partners, employees and news media to alert them to the attack, thus embarrassing the victim.

Though ransomware gangs may not necessarily employ all four tactics in one attack, they will certainly turn to more than one, such as encryption and the release of data or encryption and denial of service attacks. The objective is to put as much pressure on the victimized organization so that they have little choice but to pay up.

Looking into its crystal ball, Unit 42 expects ransomware attacks to continue to gain momentum as criminals add other tactics to the mix.

In one example, ransomware gangs have started to encrypt hypervisor software, which runs multiple virtual machines on one server. This approach allows them to corrupt more than one system in a single attack, a method expected to gain more traction.

In another example, criminals are likely to stage more attacks against managed service providers and their customers, such as the one against Kaseya that affected more than 1,000 companies along Kaseya’s supply chain.

Though ransom demands and payments will continue to rise, some gangs will still focus on the lower end of the market, according to Unit 42. Here, the attackers specifically target smaller businesses that may lack the resources to invest in strong cybersecurity. Such criminal groups as NetWalker, SunCrypt and Lockbit have snagged ransom payments from $10,000 to $50,000. That may sound minuscule compared with the money raked in by REvil, but such amounts can easily impact a small company.

Recommendations

With payment demands surging higher and cybercriminals becoming more aggressive, how can organizations better protect themselves against ransomware attacks?

“Keeping your organization safe from falling victim to a ransomware attack requires a fundamental shift away from detection and remediation toward preparation and prevention,” John Martineau, principal consultant for Unit 42, told TechRepublic. “This means reducing the attack surface, such as closing the remote desktop protocol (RDP) to the internet and instead using a virtual private network (VPN) with multi-factor authentication (MFA) enabled, preventing known threats, and identifying and preventing unknown threats through security technologies like XDR.” 

Detection of threats is important, according to Martineau. But it won’t prevent a ransomware attack, especially one in which your data is at risk of being leaked publicly. Organizations should be ready to identify and block every step of an attack from delivery to hard-to-detect lateral movement. This strategy requires detailed contingency plans and exercises so that everyone knows what to do if your data is compromised.

But if a ransomware attack does hit your organization, what steps should you take?

“If you’re the victim of a ransomware attack, don’t panic,” Martineau said. “Task delegation and teamwork are critical in the first 12 to 24 hours and beyond post-attack. Keep a checklist and the person responsible for the assigned task. Check if you have viable backups. If you do, restore from your latest backup after preserving the data in the case where an investigation of the incident is warranted. Finally, contact your cyber insurance representative if applicable.”

Also see