Good business for extortionists: Ransomware attacks dominated global headlines in 2021, and there are no signs of slowing down. Ransomware payments hit new records in 2021 as cybercriminals increasingly turn to dark web leak sites. By threatening to release sensitive data, they pressure their victims to make them pay. This is what Palo Alto Networks’ Unit 42 reports in the 2022 Unit 42 Ransomware Threat Report study released today.
In fact, the cyber criminals found additional ways to blackmail ransomware-related victims. Double racketeering first became fashionable in 2020 with the emergence of dark web leak sites, which cybercriminals use to identify ransomware victims and threaten to leak sensitive company data. In 2021, ransomware gangs took these tactics to a new level, using multi-extortion techniques that increase the cost and immediacy of the threat. Palo Alto, for example, has seen gangs make threatening phone calls to employees and customers and launch denial-of-service (DoS) attacks to take down a victim’s website in order to incentivize payments.
Ransomware-as-a-Service (RaaS) operators are on the rise. RaaS operators offer a wide range of easy-to-use tools and services that make launching ransomware attacks almost as easy as using an online auction site. These operators have invested in recent years to streamline their business – perfecting their malware, developing marketing strategies to recruit more affiliates, and even setting up tech support to help victims get back online once they do paid ransom.
The average ransom demand for cases handled by Unit 42, Palo Alto Networks’ IT security analysts, rose 144 percent in 2021 to $2.2 million. The average payment increased 78 percent to $541,010 over the same period.
“In 2021, ransomware attacks disrupted everyday activities that people around the world take for granted — from grocery shopping and fueling their cars to calling 911 and getting medical attention,” said Jen Miller-Osborn, Deputy Director of Unit 42 Threat Intelligence.
Ransomware group Conti was responsible for most of the activity, accounting for more than one in five cases Unit 42 analysts dealt with in 2021. REvil (aka Sodinokibi) was second at 7.1 percent, followed by Hello Kitty and Phobos (4.8 percent each). Conti has also published the names of 511 companies on its dark web leak site, more than any other group.
The report details how the cyber extortion ecosystem grew in 2021 with the emergence of 36 new ransomware gangs. He documents how criminal groups invested windfall profits into developing tools that are easier to use in attacks that increasingly exploit zero-day vulnerabilities.
The number of victims whose data was published on leak sites increased by 85 percent to 2,566 companies in 2021, according to analysis by Unit 42. About 60 percent of leaksite victims were located in the Americas, followed by 31 percent in Europe, the Middle East and Africa, and 9 percent in the Asia-Pacific region. The vertical industries most affected were professional and legal services, construction, wholesale and retail, healthcare and manufacturing. Companies in the USA are most frequently affected with 49 percent of all attacks, but four percent of attacks also take place in Germany.