zephyr_p - stock.adobe.com
The average ransom paid by victim organisations in Europe, the US and Canada has almost trebled from $115,123 (€96,666/£82,788) in 2019 to $312,493 in 2020, and with the spread of double extortion tactics this number is continuing to grow, according to statistics gathered by threat researchers at Palo Alto Networks’s Unit 42.
In the Ransomware threat report 2021 study, Unit 42 drew both on its own data and that gathered through Palo Alto’s incident response unit Crypsis to analyse the ransomware threat landscape and reveal how extortion through ransomware has become a highly lucrative business.
Besides the headline data, the researchers reported that the highest value ransom paid doubled over the same period, from $5m to $10m, while the highest extortion demand grew from $15m to $30m.
Among the greediest groups operating in the past year was the now defunct Maze operation, which made demands averaging $4.8m compared to an average of $847,344 across the board. The operators of NetWalker, Ryuk and WastedLocker also tended to demand multimillion dollar pay-offs, almost always to be made in the bitcoin or Monero cryptocurrencies.
“Organisations around the world are being held hostage by ransomware, and many are being forced to pay cyber criminals because they’re not equipped to combat the threat for varying reasons, from a lack of recoverable backups to the cost of downtime outweighing the cost of paying the ransom,” said John Davis, Palo Alto’s vice-president of public sector, in the report’s preamble.
The costs incurred through a ransomware attack do not, of course, merely hit those that unwisely choose to pay, but also those that resist, in terms of engaging forensic cyber security services for remediation and recovery.
The average cost of forensic engagement in 2020 was $73,851, up around $10,000 on the previous year, with smaller and midsize businesses paying an average of $40,719 to recover, while enterprise costs averaged $207,875.
The report highlighted other noteworthy trends in the past 12 months of ransomware attacks, predictably centring on the victimisation of healthcare organisations and those involved in vaccine research and development during the Covid-19 pandemic, and the much remarked upon rise of the double extortion attack, where ransomware gangs steal and threaten to leak data in addition to encrypting it, as a shaming tactic.
The growth in ransomware-as-a-service (RaaS) models was also a key moment in the pasty 12 months, with subscription-based ransomwares proving easy to execute, effective, and very profitable – as well as shifting some of the potential legal risk away from the actual operators and onto the affiliates.
It also highlighted a shift in approach among ransomware gangs, moving away from high volume “spray-and-pray” models to more focused “stay-and-play” modes of attack, where victims are thoroughly researched in advance, and their networks compromised often weeks or even months in advance.
“We need to significantly reduce this criminal enterprise, which is why I’m proud that Palo Alto Networks is a member of the Institute for Security and Technology’s Ransomware Task Force (RTF), in which I serve as a co-chair,” wrote Davis.
“The RTF is focused on developing a suite of recommendations for a comprehensive strategy to mitigate the ransomware threat. To develop a set of solutions that will attack all sides of the ransomware scourge, the RTF has recruited a large and diverse set of experts who are currently investigating a broad array of avenues for recommendations – acknowledging all of the good work that has already been done in this space.”
This group is exploring questions including: how to better prepare organisations for a ransomware attack; how to understand and respond to one; the barriers stopping organisations from adopting defence measures; how to make it harder for ransomware gangs to carry out attacks; how to make attack outcomes less destructive; and how to create solutions tailored to the unique needs of different victims.
Davis said the task force hoped to provide clear and actionable recommendations during the coming months.
Read more about ransomware
- As predicted, ransomware gangs have started to target vulnerable instances of Microsoft Exchange Server, making patching an even greater priority.
- Authorities confirm that they have arrested an undisclosed number of cyber criminals associated with the Egregor ransomware.
- Intelligence gathered through McAfee’s Mvision service reveals more insight into the emerging Babuk ransomware.