Skip links

Unit 42: Ransomware demands averaged $2.2m last year

The average ransom demand hit $2.2 million in 2021, a 144 percent rise from the year prior, according to Palo Alto Networks’ Unit 42 consultants, while the average ransom payment grew 78 percent to $541,010.

The research and consultancy outfit latest ransomware report, issued this week, pulls data from cases handled by Unit 42 along with analysis of ransomware gangs’ leak sites. 

These findings, combined with another ransomware report released this week from the US Senate Homeland Security and Governmental Affairs Committee, paints a disturbing picture of cyber criminals’ increasingly brazen tactics, and how difficult it is for organizations of all sizes to defend themselves.

And while almost no country or industry escaped unscathed in 2021, some regions and sectors were hit harder than others. Unit 42’s ransomware leak site analysis identified the Americas as home to most of the organizations that experienced an attack, some 60 percent, compared to 31 percent in Europe, the Middle East and Africa, and nine percent in the Asia-Pacific region.

The infosec team also found professional and legal services (1,100) and construction (600) firms names most frequently on leak sites.

“As these ransomware gangs and RaaS operators find new ways to remove technical barriers and up the ante, ransomware will continue to challenge organizations of all sizes in 2022,” warned Ryan Olson, VP of threat intelligence for Unit 42, in a forward to his organization’s report.

But first, a look back on 2021. 

More multi-extortion to come

While double extortion became more common in 2020 — this is where cyber criminals not only encrypt files and demand victims pay a ransom to regain access to those documents, they also steal the data to publicly leak if the money isn’t paid — “ransomware gangs took these tactic to a new level” in 2021, according to the report. 

“For example, we’ve seen gangs make threatening phone calls to employees and customers and launch denial of service (DoS) attacks to shut down a victim’s website in an effort to incentivize payments,” Olson wrote.

In all, Unit 42 saw the names and proof of compromise for 2,566 victims posted to leak sites last year, representing an 85 percent spike from 2020. “Be prepared to see more multi-extortion attack tactics in 2022 and beyond,” the report warned.

Further analysis of leak sites revealed that Conti, with 511, bragged about the most breaches in 2021. LockBit 2.0 came in second place with 406. 

A new ransomware-as-a-service operations BlackCat, which other threat hunting teams have linked to the BlackMatter/DarkSide ransomware ring, began using “triple extortion attacks,” according to the report, first stealing an organization’s data, then deploying ransomware and threatening to leak the information, and then launching a DDoS attack if the ransom isn’t paid.

BlackCat is also notable for its “meteoric rise,” according to Unit 42. The security shop reported that just one month after appearing on the scene in November 2021, this criminal group already claimed the seventh-largest number of victims on their leak site. It targets primarily US companies, and lets its affiliates keep 80 percent to 90 percent of the ransom, with the remainder going to BlackCat.

According to Unit 42, BlackCat ransomware is also “one of the first, if not the first” to use the Rust programming language.

Conti, REvil most active criminal gangs

Meanwhile, Russia-based Conti displaced REvil as the most active gang in 2021, based on security incidents that Unit 42 responded to last year. Conti’s average ransom demand came in at $1.78m, and their top payment request was $3m. Since 2020, this cyber-crime ring has leaked data belonging to more than 600 organizations, according to the report.

Conti was also quick to exploit known vulns, like ProxyShell and Log4j, and use these as their initial vectors to carry out ransomware attacks. 

This use of zero-days is something that Unit 42 expects to see more of in 2022. “We believe threat actors are increasingly tracking high-profile vulnerabilities and exploiting them to gain an initial foothold in an organization,” the report authors wrote. “The timeframe from vulnerability to exploit is getting shorter — it can practically coincide with the reveal if the vulnerabilities themselves and the access that can be achieved by exploiting them are significant enough.”

Another Russian cyber-crime ring, REvil, was the second most active gang in 2021, based on Unit 42 incident response data. The group’s initial demand averaged about $2.2m and its highest demand hit $5.4m — both increases from 2020. “The size of specific ransoms depended on the size of the organization and type of data stolen,” according to the report. “Further, when victims failed to meet deadlines for making payments via Bitcoin, the attackers often doubled the demand.”

A second report [PDF] released this week, this one from the US Senate Homeland Security and Governmental Affairs Committee, also documents REvil attacks on three American companies. And it found the federal government’s response to these incidents sorely lacking. The document doesn’t name the three companies, all of which reported the attacks to law enforcement, and instead refers to them as entities A, B, and C:

Entity A, which has a 200-person security team and spends about 10 percent of its overall IT budget on security, hired Microsoft’s incident response team after REvil demanded a $70 million ransom, which the report says it did not pay. It took about a week to kick REvil off its network. The company said it would have taken a lot longer to recover from the attack without its “vast resources and robust backups.” 

Keystone cops?

Additionally, “Entity A found the FBI to be unhelpful throughout the process,” according to the report. The firm asked the FBI for guidance, and says it didn’t receive any “helpful assistance.” 

As an example: the FBI hostage negotiator seemed to have little experience responding to ransomware attacks. Additionally, “Entity A indicated the FBI prioritized investigating those responsible for the attack over helping Entity A respond and secure its network — the top priority for Entity A.”

Entity A also said it wished it could have shared more information about REvil and the attack with other companies without being penalized under current laws.

The second company, a manufacturing firm the report calls Entity B, also did not pay the ransom and says it took about a month to assess the full scope of the breach and how much data REvil had stolen. This firm hired an incident response team, outside attorneys, and a ransom negotiator to help it recover. It also had cyber insurance, but notes that its “premiums rose substantially after the breach.”

While not as damning as entity A’s depiction of the FBI’s response, entity B “recalled there was no ‘here’s a playbook’ discussions with the FBI regarding how to best respond,” the report noted.

IT firm Entity C was the smallest of the three to experience a ransomware attack, and after contacting federal officials said it preferred to respond to the attack on its own. 

While this company found the agencies “helpful,” the report also noted that “Entity C found the federal government’s response teams were caught off guard by the idea that a group or entity would launch attacks like this on such a large scale in such a small time frame.”

The Senate committee recommends that companies take steps to make it more difficult and costly for ransomware gangs to breach their networks. This includes security basics like patching vulnerabilities, using multi-factor authentication, keeping device and software inventories, requiring employees use complex passwords, maintaining offline backups, and encrypting sensitive data.

And it also calls on the FBI and CISA to work more closely to share information and do more to help ransomware victims recover their data and mitigate damages. 

“The Biden administration should work quickly to implement my recently enacted bipartisan Cyber Incident Reporting Act,” the committee’s ranking member, Sen. Rob Portman, R-Ohio, said in a statement. “This law will help prevent future cyberattacks by facilitating increased information sharing and enhance the federal government’s cyber defense and investigative capabilities.” ®