Ransomware demands and payments increase with use of leak sites
Ransomware demands and payments have reached record highs in 2021, as ransomware gangs proliferate alongside Dark Web “leak sites” to pressure victims, according to Palo Alto Network’s Unit 42.
By reviewing cases handled by Unit 42 responders and analyzing messages on leak sites (where ransomware operators provide snippets of stolen information as part of multi-extrusion techniques), the Unit 42 Ransomware Threat Report 2022 found that the average ransomware demand rose 144% in 2021 to $2.2 million, while the average payout jumped 78% to $541,010 over the same time.
It also found that the industries most affected, at least in the UK, were professional and legal services, construction, wholesale and retail trade, healthcare and manufacturing.
The number of victims whose data was posted on leak sites also increased by 85% in 2021 to 2,566 organizations, with 60% of leak site victims being in the Americas, followed by 31% for the Europe, the Middle East and Africa, and 9% in the Asia-Pacific region.
“Cybercriminals are stepping up their efforts by finding additional ways to extort victims in conjunction with ransomware,” said Ryan Olsen, vice president of threat intelligence at Unit 42, in the foreword to the report. “Double extortion first took off in 2020, with the rise of dark websites that cybercriminals used to identify ransomware victims and threaten to leak sensitive corporate data.
“In 2021, ransomware gangs have taken these tactics to a new level, popularizing multi-extortion techniques designed to increase the cost and immediacy of the threat.”
A previous Unit 42 report from May 2021 found that the average amount paid by ransomware victims nearly tripled to more than $300,000 per incident.
Conti ransomware gang
In terms of the threat actors involved, the new report added that the Conti ransomware gang was responsible for most of the activity, accounting for more than one in five cases worked by Unit 42 consultants while throughout 2021. REvil, also known as Sodinokibi, was second (7.1%), followed by Hello Kitty and Phobos (at 4.8% each).
Unit 42 also noted that the cyber extortion ecosystem has generally expanded with the emergence of 35 new ransomware gangs in 2021, including Black Matter, Hive, and Grief.
“We also started to see ransomware groups applying triple extortion techniques,” the report said. “Suncrypt, originally seen in October 2019, was one of the first, along with BlackCat, to apply these triple extortion tactics.
“This means that in addition to encryption and data theft, the gang and its affiliates further extort their victims by threatening to launch a DDoS attack on the organization’s infrastructure or network if settlement negotiations fail. ransom demand. If the negotiations don’t go well, they not only leak victims’ data, but they launch DDoS attacks to render their victims inoperable, in the hope that the victim will contact them to restart the negotiations.
In February 2022, the UK’s National Cyber Security Center (NCSC) said ransomware attacks over the past 12 months had reached new levels of sophistication, with cybercriminal gangs turning to increasingly professional tactics targeting more impactful victims; trends likely to continue.
In August 2021, Check Point’s Mid-Year Security Report also noted that there had been an increase in ransomware attacks in the first half of the year, after recording a 93% increase.
The company said the rise was fueled by the rise of triple extortion techniques, whereby attackers, in addition to stealing sensitive data from organizations and threatening to make it public unless payment is made, also target customers, suppliers or business partners of the organization in the same way.
According to Barnaby Mote, managing director of business continuity and IT disaster recovery firm Databarracks, there is a “worrying disconnect” between administrators and cybersecurity managers in the face of the threat of ransomware.
Mote noted that a recent report by Egress found that only 23% of company boards consider ransomware their top security priority (despite 59% of companies hit by ransomware attacks), while that a separate study by the World Economic Forum (WEF) found that some 80% of cybersecurity leaders view ransomware as a dangerous and evolving threat to public safety.
“There remains a clear gap between how cyber experts and business leaders perceive the threat, despite the prevalence of ransomware,” he said. “If business leaders don’t focus more on the problem, it’s an open target for cybercriminals.
“The report also revealed that 61% of CISOs affected by ransomware refused to pay the ransom, and 80% who were not affected said they would refuse. This highlights the need for a pre-prepared response to ransomware attacks, as it is a much more involved process than simply refusing to pay.
He added that having a “watertight backup strategy” in place can help organizations confidently deny a ransomware request, but that strategy requires buy-in from the top: “Administrators need to listen carefully to their cyber -colleagues and realize the days when ransomware was a secondary threat are over.
Unit 42 also said in its report that as the ransomware threat landscape evolves, security teams and management stakeholders should be better informed about the nature of attacks and their business impacts.
“That means educating your key C-level stakeholders and board of directors by speaking the language of the business and leveraging threat briefings to strategically inform your risk profile and security strategy,” a- he said, adding that implementing a zero-trust approach was also essential.
“You should also educate your technical security team on the latest ransomware threats, including attack vectors, TTPs, ransom demands, and best protections to prevent attacks.
“The Zero Trust model has increasingly become a priority for leaders who need to keep pace with digital transformation and adapt to the ever-changing security landscape. Many organizations are still struggling with a loose, poorly integrated collection of ad hoc products that do not align with the strategic approach expected by board members and senior executives.
“Deployed correctly, zero trust simplifies and unifies risk management by making security a use case for users, devices, sign-in source, or access method.”