Ransomware gangs aimed to bilk business victims of even more money in 2020, causing the average ransom paid by companies to jump 171% to more than $312,000.
A new report from Palo Alto Networks -- which uses data from ransomware investigations, data-leak sites, and the Dark Web — found 337 victims in 56 industries, with manufacturing, healthcare, and construction companies suffering 39% of ransomware attacks in 2020. In addition, ransom demands skyrocketed during the year, doubling both the highest ransom demand — to $30 million—and the highest-known paid ransom, $10 million. The average victim paid more than $312,000, almost a third of the average demand.
The ransoms will likely continue to rise this year, because the ransomware groups are innovating to stay ahead of defenders, says Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks' Unit 42 threat research group.
"The attackers will continue to evolve, and figure out new ways to make money," she says, adding that "it is a totally different [threat] landscape, especially in the last year or so, where we have seen the amount of ransoms double."
Other research has documented similar surges in ransomware payments. In January, blockchain analysis company Chainalysis found that ransoms paid using cryptocurrency surged 311% in 2020 and approached a grand total of $350 million. However, by the end of the year, ransomware payments had begun to decline, seemingly due to a lack of confidence on the part of the victims that attackers would help them recover their data and delete any stolen copies, according to research by Coveware.
The Palo Alto report combines two sources of the threat intelligence: 252 incidents investigated by the company's data-breach response service over the past two years, and a survey of public leak sites and the Dark Web.
Almost two thirds of the incident response cases investigated by the company came in one of four industries in 2020: healthcare, manufacturing, information technology, or construction. The number of information technology investigations surged to 34, from 20 in 2019, possibly because of the pandemic, the company said in the report.
"As organizations shifted to remote workforces due to the COVID-19 pandemic, ransomware operators adapted their tactics accordingly, including the use of malicious emails containing pandemic-based subjects and even malicious mobile apps claiming to offer information about the virus," the company stated.
Attackers will continue to improve their techniques in 2020 as they seek to stay ahead of defenders. In 2020, security researchers saw widespread adoption of the "double extortion" attack, where ransomware groups steal data and then encrypt systems before posting a ransom note. If the victim decided to recover from backups, then the attacker would publicly release the stolen data, publishing the victim's secrets on the Internet.
This type of advanced is a direct reaction to improved defenses, says Miller-Osborn.
"More organizations had gone to the point with their backups where, if they were impacted by ransomware, they could just tell the bad guys to go pound sand," she says. "To get around that, groups started pre-encrypting the data and exfiltrating it, so they had a secondary threat."
Among the hundreds of victims whose data was posted by ransomware gangs on data-leak sites, the top-5 industries were manufacturing, legal services, construction, high-technology, and retail, which accounted for 179 breaches, more than 70% of those identified. While the average ransom demand almost reached $847,000, companies typically paid much less, about $312,000, according to the report.
Cleaning up ransomware is not cheap with the average cost of a forensic engagement exceeding $73,000 for enterprises and topping $40,000 for small and medium businesses.
Same Story, Different Chapter
The report is not the first to point out the increase in ransomware in the last year. A variety of datasets collected by other security companies have highlighted the trend, and the increase in double-extortion attacks, over the past year.
While companies can detect and stop ransomware attacks before they cause business-operations problems, solving the ransomware problems will require cooperation on a grand scale, says Miller-Osborn.
"More of the private sector folk [need to] work more with each other, and with law enforcement, to do more takedowns, to do more identification of the people behind these things to get them arrested, to push financial sanctions against entities if we can't get people arrested," she says. "We need to force these things to where there are real world consequences in effect, and force [attackers] so they have trouble keeping their infrastructure operating and suffer impact to their bottom line."