Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/18/2021
09:00 AM
50%
50%

Ransom Payments Have Nearly Tripled

In 2020, ransomware targeted the manufacturing sector, healthcare organizations, and construction companies, with the average ransom reaching $312,000, a report finds.

Ransomware gangs aimed to bilk business victims of even more money in 2020, causing the average ransom paid by companies to jump 171% to more than $312,000.

A new report from Palo Alto Networks -- which uses data from ransomware investigations, data-leak sites, and the Dark Web — found 337 victims in 56 industries, with manufacturing, healthcare, and construction companies suffering 39% of ransomware attacks in 2020. In addition, ransom demands skyrocketed during the year, doubling both the highest ransom demand — to $30 million—and the highest-known paid ransom, $10 million. The average victim paid more than $312,000, almost a third of the average demand.

Related Content:

Manufacturing Sees Rising Ransomware Threat

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

The ransoms will likely continue to rise this year, because the ransomware groups are innovating to stay ahead of defenders, says Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks' Unit 42 threat research group.

"The attackers will continue to evolve, and figure out new ways to make money," she says, adding that "it is a totally different [threat] landscape, especially in the last year or so, where we have seen the amount of ransoms double."

Other research has documented similar surges in ransomware payments. In January, blockchain analysis company Chainalysis found that ransoms paid using cryptocurrency surged 311% in 2020 and approached a grand total of $350 million. However, by the end of the year, ransomware payments had begun to decline, seemingly due to a lack of confidence on the part of the victims that attackers would help them recover their data and delete any stolen copies, according to research by Coveware.

The Palo Alto report combines two sources of the threat intelligence: 252 incidents investigated by the company's data-breach response service over the past two years, and a survey of public leak sites and the Dark Web. 

Almost two thirds of the incident response cases investigated by the company came in one of four industries in 2020: healthcare, manufacturing, information technology, or construction. The number of information technology investigations surged to 34, from 20 in 2019, possibly because of the pandemic, the company said in the report.

"As organizations shifted to remote workforces due to the COVID-19 pandemic, ransomware operators adapted their tactics accordingly, including the use of malicious emails containing pandemic-based subjects and even malicious mobile apps claiming to offer information about the virus," the company stated.

'Double Extortion'

Attackers will continue to improve their techniques in 2020 as they seek to stay ahead of defenders. In 2020, security researchers saw widespread adoption of the "double extortion" attack, where ransomware groups steal data and then encrypt systems before posting a ransom note. If the victim decided to recover from backups, then the attacker would publicly release the stolen data, publishing the victim's secrets on the Internet.

This type of advanced is a direct reaction to improved defenses, says Miller-Osborn.

"More organizations had gone to the point with their backups where, if they were impacted by ransomware, they could just tell the bad guys to go pound sand," she says. "To get around that, groups started pre-encrypting the data and exfiltrating it, so they had a secondary threat."

Among the hundreds of victims whose data was posted by ransomware gangs on data-leak sites, the top-5 industries were manufacturing, legal services, construction, high-technology, and retail, which accounted for 179 breaches, more than 70% of those identified. While the average ransom demand almost reached $847,000, companies typically paid much less, about $312,000, according to the report. 

Cleaning up ransomware is not cheap with the average cost of a forensic engagement exceeding $73,000 for enterprises and topping $40,000 for small and medium businesses.

Same Story, Different Chapter

The report is not the first to point out the increase in ransomware in the last year. A variety of datasets collected by other security companies have highlighted the trend, and the increase in double-extortion attacks, over the past year. 

While companies can detect and stop ransomware attacks before they cause business-operations problems, solving the ransomware problems will require cooperation on a grand scale, says Miller-Osborn.

"More of the private sector folk [need to] work more with each other, and with law enforcement, to do more takedowns, to do more identification of the people behind these things to get them arrested, to push financial sanctions against entities if we can't get people arrested," she says. "We need to force these things to where there are real world consequences in effect, and force [attackers] so they have trouble keeping their infrastructure operating and suffer impact to their bottom line."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.