Unit 42 (the Palo Alto Networks threat intelligence team) has released its 2021 Ransomware Threat Report. Drawing on Unit 42 and The Crypsis Group data, the findings reveal the top ransomware variants (with links to threat assessments for each variant), average ransomware payments, ransomware predictions, and actionable next steps to immediately reduce ransomware risk.
According to John Davis, Retired US Army Major General and VP of Public Sector at Palo Alto Networks, “Before joining Palo Alto Networks, I served 35 years in the US military, with the last 10 of those years devoted to cyber-related assignments. During my tenure, I was able to see first-hand how ransomware was a major threat to national security—and we’re still seeing it today. Organizations around the world are being held hostage by ransomware, and many are being forced to pay cybercriminals because they’re not equipped to combat the threat for varying reasons, from a lack of recoverable backups to the cost of downtime outweighing the cost of paying the ransom.”
According to the Unit 42 2021 Ransomware Threat Report:
Cybercriminals Are Making, and Demanding, More Money Than Ever
- The average ransom paid for by organisations increased from US$115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase.
- Additionally, the highest ransom paid by an organisation doubled from 2019 to 2020, from $5 million to $10 million.
- Cybercriminals are getting greedy. From 2015 to 2019, the highest ransomware demand was $15 million. In 2020, the highest ransomware demand grew to $30 million.
- Of note, Maze ransom demands in 2020 averaged $4.8 million, a significant increase compared to the average of $847,344 across all ransomware families in 2020. Cybercriminals know they can make money with ransomware and are continuing to get bolder with their demands.
Healthcare Organizations in the Crosshairs
The world changed with COVID-19, and ransomware operators took advantage of the pandemic to prey on organizations— particularly the healthcare sector, which was the most targeted vertical for ransomware in 2020. Ransomware operators were brazen in their attacks in an attempt to make as much money as possible, knowing that healthcare organizations—which needed to continue operating to treat COVID-19 patients and help save lives—couldn't afford to have their systems locked out and would be more likely to pay a ransom.
- Ryuk ransomware stood out from the pack. In October 2020, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), warning healthcare organizations against Ryuk attacks.
The Rise of Double Extortion
A common ransomware attack consists of the ransomware operator encrypting data and forcing the victim to pay a ransom to unlock it. In a case of double extortion, ransomware operators encrypt and steal data to further coerce a victim into paying a ransom. If the victim doesn’t pay the ransom, the ransomware operators then leak the data on a leak site or dark web domain, with the majority of leak sites hosted on the dark web. These hosting locations are created and managed by the ransomware operators. At least 16 different ransomware variants are now threatening to expose data or utilizing leak sites, and more variants will likely continue this trend.
The ransomware family that leveraged this tactic the most was NetWalker. From January 2020 to January 2021, NetWalker leaked data from 113 victim organizations globally, far surpassing other ransomware families. RagnarLocker was second, leaking data from 26 victims globally. It’s worth noting that the US Department of Justice announced in January 2021 it had coordinated international law enforcement action to disrupt the NetWalker ransomware gang. The dark web domain managed by the NetWalker operators, which hosted leaked data, is no longer accessible.
- After the USA, Canada and Germany, the UK has the most ransomware victim organisations with data published on leak sites
About the research
To evaluate the current state of the ransomware threat landscape, the Unit 42 threat intelligence team and the Crypsis incident response team collaborated to analyse the ransomware threat landscape in 2020, with global data from Unit 42 as well as US, Canada, and Europe data from Crypsis.