The Ransomware Threat: Bigger, Greedier, Attacking the Most Vulnerable

This post is also available in: 日本語 (Japanese)

Five years ago, our Unit 42 global threat intelligence team released a threat report warning that ransomware was quickly becoming one of the greatest cyberthreats facing organizations. Calling ransomware a “criminal business model” that attackers had spent many years perfecting, the report detailed ransom demands of “well over $10,000” – predicting that those demands would only grow higher.

Sadly, we were right. Today, we released the 2021 Unit 42 Ransomware Threat Report. Using data from Unit 42, as well as from our Crypsis incident response team, the report details a disturbing new watershed: Cyber extortion has reached crisis levels as cybercriminal enterprises have flourished, obtaining capabilities that rival those of nation-states.

The highest ransomware demand we observed surged to $30 million in 2020 (from $15 million in 2019). In fact, our review of cases handled last year found that the average paid ransom nearly tripled to $312,493 (from $115,123 in 2019). That’s a staggering increase from 2016, when the majority of transactions were between $200 and $500.

How the Ransomware Threat Grew

What happened? Ransomware attacks evolved from “spray and pray” campaigns that sought flat rates to restore access to encrypted systems. Attackers saw potential for massive profit growth and began demanding higher ransoms from targeted attacks on industries and organizations whose operations were most vulnerable to systems outages or data loss.

Healthcare emerged as the most popular target. Last year, one in five ransomware cases we investigated involved providers that depend on computers to treat patients. In October, the U.S. government warned hospitals, which were already struggling due to COVID, that they were being targeted by Ryuk, one of the pieces of malware covered in our report.

Attackers got greedier, richer and more technically savvy and invested profits into R&D, developing the scale and hacking techniques that enable them to move at lightning speed to exploit new vulnerabilities.

As soon as Microsoft released security patches on March 2 to plug four zero-day vulnerabilities in Exchange Server, ransomware enterprises sprung into action. Within a week, Unit 42 observed DearCry ransomware looking to exploit those vulnerabilities. We encourage all Exchange Server users to patch immediately.

Don’t Panic. The Threat Can Be Mitigated

Although the recent attacks on SolarWinds and Microsoft Exchange users will go down in history, this report reminds us that ransomware remains the most pernicious cyberthreat. Still, Unit 42’s message remains the same as it was five years ago: Don’t panic. There’s lots of help available.

Palo Alto Networks offers a broad portfolio of products and services to help organizations respond to ransomware attacks and prevent new ones from occuring in the future. Ryuk, WastedLocker, REvil and other ransomware operations use targeted attack techniques and worm-like capabilities to infect their targets. We can help block every step of an attack, from delivery to hard-to-detect lateral movement, and then quickly restore compromised hosts if needed.

You can learn more by downloading the 2021 Unit 42 Ransomware Threat Report.