Ransomware Demands, Payments Rising Quickly, Palo Alto Says

In 2017, the WannaCry and NotPetya attacks put cybersecurity professionals and the world at large on notice that ransomware was a formidable threat that would have to be dealt with in the coming years.

Ransomware wasn’t new, but the two variants were an escalation that hit hundreds of thousands of systems around the globe and caused almost $6 billion in damage. They also indicated that the malware was evolving, increasing the danger it posed.

Four years later, the threat is still significant and the expanding numbers of cyber-criminal gangs leveraging ransomware are continuing to evolve. In a report this month, Palo Alto Networks’ threat intelligence (Unit 42) and incident response (The Crypsis Group) teams found that not only are bad actors demanding increasingly higher ransoms, but they are ratcheting up the threats to their targets to force compliance with their demands.

The vendor’s 2021 Unit 42 Ransomware Threat Report found that in the United States, Canada and Europe, the average ransom paid by organizations jumped from $115,123 in 2019 to $312,493 last year, a 171 percent increase. The highest ransom paid doubled, from $5 million two years ago to $10 million in 2020.

Between 2015 and 2019, the highest ransom demand was $15 million, the researchers noted. In 2020, the highest demand was $30 million.

“Cybercriminals know they can make money with ransomware and are continuing to get bolder with their demands,” the researchers wrote.

Crime pays

Ransom demands from Maze, one of the more active ransomware gangs, averaged $4.8 million in 2020, compared with an average of $847,344 across all ransomware families.

The Palo Alto numbers – which came from global data from Unit 42 and figures from the United States, Canada and Europe from Crypsis – echo what Chainalysis said in its own report earlier this year. The blockchain analysis firm said that in 2020, the total amount paid by ransomware targets grew 311 percent year-over-year, totaling almost $350 million in cryptocurrency. (The company also noted that the real figure was likely higher given that not all ransoms paid are reported by the victims.)

Among the ransomware gangs, the ones getting the most in ransoms were Ryuk, Maze, Dopplepaymer, Netwalker and Conti. The Maze group announced on the dark web in November 2020 that it was shutting down. In addition, the NetWalker ransomware-as-a-service operation was disrupted January when the U.S. Department of Justice announced it had charged a Canadian citizen for the attacks.

Further reading: Ransomware Protection in 2021

‘Double extortion’

NetWalker also was integral in another ongoing trend the Palo Alto researchers referenced: the rise of what they called “double extortion.” Traditionally, bad actors would encrypt a company’s data and demand a ransom before turning over the key for decrypting it. However, with double extortion, the ransomware operator not only encrypts the victim’s data but also steals it, threatening to release it on a leak site or a dark web domain if the ransom isn’t paid.

Between January 2020 and 2021, NetWalker leaked data from 113 target organizations; RagnarLocker was the second-most active, leaking data from 26 victims. There are at least 16 ransomware variants that threaten to expose or leak data and that number likely will grow, they said.

“Ransomware is no longer just about encrypting files but also stealing the data, making it a multifunctional weapon,” Joseph Carson, chief security scientist and advisory chief information security officer (CISO) for IT security firm Thycotic, told InternetNews. “If a company has a solid backup to restore systems, then the criminal gang can threaten to disclose damaging data that could directly impact the stock price, brand, employees and potential customers.”

Carson said that what’s happening with ransomware “is that cybercriminals continue to abuse privileged access, which enables them to steal sensitive data and deploy malicious ransomware. This means that organizations should prioritize privileged access as a top security measure to reduce the risks of ransomware and ensure strong access controls and encryption for sensitive data.”

Further reading: Best Privileged Access Management (PAM) Software

Damage can be swift

“Ransomware remains one of the biggest threats,” Brandon Hoffman, CISO for IT management company Netenrich. “This is due to the ease of deploying its own combination with the destructive power. Front-line vulnerabilities, such as Exchange being exploited, are always a top concern. The source code and supplier attacks are harder to keep track of and have long-term significant ramifications. Yet ransomware has the immediate power to take down an entire organization swiftly and potentially keep it that way for a significant amount of time.”

The relentless ransomware attacks have not let up so far in 2021. Reports began surfacing last week that Taiwanese PC maker Acer was the victim of an attack by the group REvil, which is demanding a record $50 million ransom. The ransomware group reportedly announced the attack on its data leak site and shared what appeared to be images as proof. Acer reportedly offered the attackers $10 million but as of earlier this week, they have said they will double the demand if it’s not paid by March 28.

In a statement to journalists, Acer officials said that the company “routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”

They also declined to comment further, citing an “ongoing investigation.”

In addition, Sierra Wireless, an Internet of Things (IoT) solutions provider, said on March 20 it discovered a ransomware attack on its internal systems. In a statement, company officials said that once the attack was discovered, it implemented security measures that were in place and that Sierra Wireless and third-party security teams “have addressed the attack, and are currently working to bring Sierra Wireless’ internal IT systems back online.”

The company keeps a separation between its internal IT systems and customer-facing products and services and officials said it appears the ransomware attack was limited to the internal systems. The attack forced Sierra Wireless to stop production at its manufacturing sites, but that normal operations would resume soon.

Government steps in

The U.S. government has in recent years weighed in on the expanding ransomware threat. In October 2020, the Treasury Department’s Office of Foreign Assets Control (OFAC) warned companies not to pay ransoms or facilitate the payment of ransom for a victimized organization, saying they could be sanctioned by the government.

The OFAC noted the skyrocketing numbers of ransomware attacks during the COVID-19 pandemic and said that paying ransoms not only does not guarantee that the target company would recover its data but that it also encouraged further ransomware attacks.

More recently, the FBI March 23 issued an alert to companies about the threat of ransomware, noting that attackers often are able to get into a company’s internal IT systems via email phishing campaigns that encourage unwitting employees to click an ad or link that include malicious codes. The agency pointed to a number of steps companies can take to protect themselves, from educating employees about identifying phishing lures and using multi-factor authentication to backing up data to an off-line source, ensuring devices are using the most up-to-date and patched operating systems and applications and leveraging antivirus and anti-malware solutions.

For ransomware attackers, the focus is “about playing with the motivation to actually pay the demanded ransom, even if it’s higher than what was used to be,” Dirk Schrader, global vice president of security research at IT security and compliance software maker New Net Technologies, told InternetNews. “The evolution of those tactics will likely be about being more precise and better informed. The talk is of cyber resilience, so the need for an organization to protect its business processes and to be able to operate even if under attack, is certainly noticed by these cyber crooks. A company, should its core business process be affected by a ransomware attack, will be more likely to ‘pay’ to remain in operations and it is also likely that this company will accept a higher ransom.”

Companies need to monitor the security and integrity of their assets, Schrader said, adding that “being able to close potential attack vectors and prevent lateral movement of the malware will be key to strengthen their security posture.”

Jeff Burt
Jeff Burt
Jeffrey Burt has been a journalist for more than three decades, the last 20-plus years covering technology. During more than 16 years with eWEEK, he covered everything from data center infrastructure and collaboration technology to AI, cloud, quantum computing and cybersecurity. A freelance journalist since 2017, his articles have appeared on such sites as eWEEK, eSecurity Planet, Enterprise Networking Planet, Enterprise Storage Forum, InternetNews, The Next Platform, ITPro Today, Channel Futures, Channelnomics, SecurityNow, and Data Breach Today.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web