The average ransomware payment increased by 78% to $541,010 in 2021, according to the recently published 2022 Unit 42 Ransomware Threat Report from Palo Alto Networks, with the average ransom demand increasing by 144% to $2.2 million.
Many ransomware gangs conducted attacks last year, but the Conti ransomware gang was the most prolific and was responsible for around one-fifth of all attacks worked on by the Unit 42 team. The REvil ransomware gang, which has now been taken down, was also highly active and was the second most prolific gang, followed by Hello Kitty and Phobos.
Double extortion tactics have been adopted by most ransomware gangs. In addition to encrypting files, sensitive data is exfiltrated from victims, and the gangs threaten to sell or publish the data if payment is not made. The Conti gang was the most prolific data leaker in 2021, having posted the names and data of 511 victims on its data leak site last year. The Unit 42 team said helped to increase the number of victims posted on name-and-shame sites by 85% compared to 2020.
Several ransomware gangs operate out of Russia, which appears to be turning a blind eye to ransomware gangs operating in the country, although Russia did take action against the REvil gang and arrested several suspected members of the gang at the start of 2022. While several ransomware operations were shut down in 2021, in many cases the operations simply rebranded and recommenced their attacks under different names. Even when ransomware affiliates are apprehended, there is no shortage of hackers willing to take their place. The money that can be earned from the attacks is much greater than it would likely be possible to earn in regular jobs.
Ransomware attacks are big business, and considerable profits are made by the gangs. RaaS operations are increasingly run like regular businesses, with the profits reinvested in the operations to develop better attack tools, including developing or paying for zero-day exploits to facilitate their attacks. The Conti ransomware gang is a prime example. This year, in response to a public statement of support for Russia’s invasion of Ukraine, a Ukrainian security researcher leaked Conti source code and internal communications between members of the operation, which provided insights into how the ransomware operation is run. Rather than pay affiliates a cut of any ransoms they generate, Conti pays salaries, awards bonuses, conducts appraisals, and even has an employee of the month. The gang has distinct units with their own specializations, including pen testing, QA, and OSINT. The leaked communications show the gang paid out $6 million in salaries, tools, and services last year.
“As these ransomware gangs and RaaS operators find new ways to remove technical barriers and up the ante, ransomware will continue to challenge organizations of all sizes in 2022,” said Ryan Olson, VP of Threat Intelligence, Unit 42, Palo Alto Networks.