beebright - stock.adobe.com
Ransomware demands and payments hit new records
Ransomware groups continue to intensify their operations as ransom demands and payments increase alongside use of “quadruple extortion” tactics during first half of 2021
The average ransom paid by victim organisations has increased by 82% since 2020 to a record $570,000, as cyber criminals intensify their ransomware efforts with increasingly aggressive tactics, according to data from Palo Alto Networks Unit 42 security consulting group.
Unit 42 also found that the average ransom demand increased by 518% from the 2020 average of $847,000, to $5.3m, in the first half of 2021.
The group previously revealed in March 2021 that the average ransom paid nearly trebled between 2019 and 2020 – from $115,123 to $312,493 – and noted the increasing prevalence of “double extortion” tactics, whereby ransomware gangs steal and threaten to leak data in addition to encrypting it as a shaming tactic.
While Unit 42’s March report flagged double extortion as an emerging practice during 2020, the latest observations show attackers once again doubling the number of extortion techniques they deploy.
“Ransomware operators now commonly use as many as four techniques for pressuring victims into paying,” wrote Unit 42 in a blog post, which includes encryption, data theft, denial of service (DoS) and harassment.
“While it’s rare for one organisation to be the victim of all four techniques, this year we have increasingly seen ransomware gangs engage in additional approaches when victims don’t pay up after encryption and data theft.”
In its updated findings, released 9 August, Unit 42 added the highest ransom demand its consultants had observed in 2021 so far was $50m, up from the $30m paid last year. However, in terms of actual ransom payments made, the largest confirmed in 2021 was the $11m in Bitcoin that Brazilian meat company JBS SA paid to cyber criminals after a massive attack in June that disrupted it’s US-based processing plants.
Read more about ransomware
- Six schools on the Isle of Wight and their umbrella organisation have been targeted by a ransomware attack, leaving teachers and pupils unable to access their online systems and causing disruption to the start of the new school year in September.
- BlackMatter gives details of its ransomware-as-a-service operation and distinguishes itself from now-defunct ransomware gangs in interview with cyber security analysts from Recorded Future.
- The Babuk ransomware operation backed away from encrypting its victims’ files, and technical difficulties may be to blame, reports McAfee.
Although ransomware gang REvil offered to provide all organisations affected by its attack on Kaseya with a universal decryption key for $70m, Unit 42 said the asking price was quickly dropped to $50m and, despite Kaseya eventually obtaining one, it was still unclear whether any payment was actually made in this instance.
On July 26 Kaseya announced on its updates page that, following consultation with experts, it decided not to negotiate with its attackers, adding "we are confirming in no uncertain terms" the firm paid no ransom, either directly or indirectly via a third party, to obtain the decryptor.
When asked how exactly the decryptor key was obtained, Kaseya declined to comment.
“We expect the ransomware crisis will continue to gain momentum over the coming months, as cyber crime groups further hone tactics for coercing victims into paying and also develop new approaches for making attacks more disruptive,” said Unit 42.
“For example, we’ve started to see ransomware gangs encrypt a type of software known as a hypervisor, which can corrupt multiple virtual instances running on a single server. We expect to see increased targeting of hypervisors and other managed infrastructure software in the coming months.
“We also expect to see more targeting of managed service providers and their customers in the wake of the attack that leveraged Kaseya remote management software, which was used to distribute ransomware to clients of managed service providers (MSPs).”
It added that while Unit 42 expects ransoms to continue their upward trajectory, it does also expect some gangs to focus on the lower end of the market instead, where companies are much smaller and lack the resources to invest heavily in cyber security.
“So far this year, we have observed groups, including NetWalker, SunCrypt and Lockbit, demanding and taking in payments ranging from $10,000 to $50,000. While they may seem small compared to the largest ransoms we observed, payments that size can have a debilitating impact on a small organisation,” it said.
According to Check Point’s 2021 mid-year security report, 93% more ransomware attacks were carried out the first half of 2021 than the same period last year. It further noted a step up in the number of attacks targeting supply chains during 2021, including the high-profile attack on SolarWinds from December 2020, as well as the attacks on Codecov in April and, most recently, Kaseya in July.