zephyr_p - stock.adobe.com

Ransomware demands and payments increase with use of leak sites

Ransomware demands and payments continue to climb as gangs increasingly turn to Dark Web leak sites to add pressure on victims

Ransomware demands and payments hit record highs in 2021, as ransomware gangs proliferate alongside Dark Web “leak sites” to pressure victims, finds Palo Alto Network’s Unit 42.

By looking at the cases handled by Unit 42 responders and analysing posts on leak sites (where ransomware operators provide snippets of stolen information as part of multi-extrusion techniques), the 2022 Unit 42 ransomware threat report found the average ransomware demand rose 144% in 2021 to $2.2m, while the average payment climbed 78% to $541,010 in the same time.

It also found that the most affected industries, in the UK at least, were professional and legal services, construction, wholesale and retail, healthcare, and manufacturing.

The number of victims whose data was posted on leak sites also rose 85% in 2021 to 2,566 organisations, with 60% of leak site victims being in the Americas, followed by 31% for Europe, the Middle East and Africa, and 9% in the Asia-Pacific region.

“Cyber criminals are doubling down by finding additional ways to extort victims in conjunction with ransomware,” said Ryan Olsen, vice-president of threat intelligence at Unit 42, in the foreword of the report. “Double extortion first took off in 2020, with the rise of dark web leak sites that cyber criminals used to identify ransomware victims and threaten to leak sensitive corporate data.

“In 2021, ransomware gangs took these tactics to a new level, popularising multi-extortion techniques designed to heighten the cost and immediacy of the threat.”

A previous Unit 42 report from May 2021 found the average amount paid out by ransomware victims had grown almost threefold to more than $300,000 per incident.

Conti ransomware gang

In terms of threat actors involved, the new report added that the Conti ransomware gang was responsible for most of the activity,  accounting for more than one in five cases worked by Unit 42 consultants throughout 2021. REvil, also known as Sodinokibi, was second (7.1%), followed by Hello Kitty and Phobos (at 4.8% each).

Unit 42 also noted that the cyber extortion ecosystem generally expanded with the emergence of 35 new ransomware gangs in 2021, including Black Matter, Hive and Grief.

“We also started to see ransomware groups apply triple extortion techniques,” the report said. “Suncrypt, originally seen in October 2019, was one of the first, along with BlackCat, to apply these triple extortion tactics.

“This means that, along with data encryption and theft, the gang and its affiliates further extort their victims by threatening to launch a DDoS attack on the organisation’s infrastructure or network should ransom demand negotiations fail. If negotiations don’t go well, not only do they leak victim data, they initiate the DDoS attacks to render their victims inoperable, with the hope that the victim will contact them to restart negotiations.”

In February 2022, the UK’s National Cyber Security Centre (NCSC) said ransomware attacks conducted over the past 12 months were hitting new levels of sophistication, with cyber criminal gangs turning to increasingly professional-style tactics and targeting more impactful victims; trends which are likely to continue.

Read more about ransomware

In August 2021, Check Point’s mid-year security report also noted there had been a surge in ransomware attacks throughout the first half of the year, after witnessing a 93% increase.

The firm said the uptick was fuelled by the rise of triple extortion techniques, whereby attackers, in addition to stealing sensitive data from organisations and threatening to release it publicly unless a payment is made, are also targeting the organisation’s customers, suppliers or business partners in the same way.

According to Barnaby Mote, managing director of specialist business continuity and IT disaster recovery firm Databarracks, there is a “worrying disconnect” between board directors and cyber security leaders over the threat of ransomware.

Mote noted that a recent report by Egress found only 23% of company boards see ransomware as their top security priority (despite 59% of businesses being hit by ransomware attacks), while a separate study by the World Economic Forum (WEF) found that some 80% of cyber security leaders saw ransomware as a dangerous and evolving threat to public safety.

“There remains a clear gap between how cyber experts and company directors view the threat, despite ransomware’s prevalence,” he said. “If corporate leaders don’t increase focus on the problem, it’s an open goal for cyber criminals.

“The report also found 61% of CISOs affected by ransomware refused to pay the ransom, and 80% who hadn’t been impacted said they would refuse. This highlights the need for pre-prepared response to ransomware attacks, as it is a much more complex process than simply refusing to pay.”

He added that having a “watertight backup strategy in place” can help organisations confidently refuse a ransomware demand, but that this strategy needs buy-in from the top: “Board directors must listen closely to their cyber colleagues and realise the days of ransomware being a secondary threat are over.”

Business impacts

Unit 42 also said in its report that as the ransomware threat landscape evolves, security teams and executive stakeholders should be better informed about the nature of attacks and their business impacts.

“This means educating your key C-level stakeholders and the board by speaking the language of the business and leveraging threat briefings to strategically inform your risk profile and security strategy,” it said, adding that implementing a zero-trust approach was also key.

“You must also educate your technical security team on the latest ransomware threats, including attack vectors, TTPs, ransom demands, and top safeguards to prevent attacks.

“The Zero Trust Model has become increasingly top of mind for executives who need to keep up with digital transformation and adapt to the ever-changing security landscape. Many organisations still struggle with a poorly integrated, loose assembly of point products that do not align with the strategic approach expected by board members and C-level executives.

“Deployed properly, zero trust simplifies and unifies risk management by making security one use case across users, device, source of connection or access method.”

Read more on Business continuity planning

Data Center
Data Management