{"id":128252,"date":"2021-03-17T08:30:17","date_gmt":"2021-03-17T15:30:17","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=128252"},"modified":"2021-03-17T08:32:09","modified_gmt":"2021-03-17T15:32:09","slug":"ransomware-threat","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2021\/03\/ransomware-threat\/","title":{"rendered":"The Ransomware Threat: Bigger, Greedier, Attacking the Most Vulnerable"},"content":{"rendered":"<p>Five years ago, our Unit 42 global threat intelligence team released a <a href=\"https:\/\/unit42.paloaltonetworks.com\/unit-42-ransomware-trends\/\">threat report <\/a>warning that ransomware was quickly becoming one of the greatest cyberthreats facing organizations. Calling ransomware a \u201ccriminal business model\u201d that attackers had spent many years perfecting, the report detailed ransom demands of \u201cwell over $10,000\u201d \u2013 predicting that those demands would only grow higher.<\/p>\n<p>Sadly, we were right. Today, we released the <a href=\"https:\/\/start.paloaltonetworks.com\/unit-42-ransomware-threat-report.html\">2021 Unit 42 Ransomware Threat Report<\/a>. Using data from Unit 42, as well as from our Crypsis incident response team, the report details a disturbing new watershed: Cyber extortion has reached crisis levels as cybercriminal enterprises have flourished, obtaining capabilities that rival those of nation-states.<\/p>\n<p>The highest ransomware demand we observed surged to $30 million in 2020 (from $15 million in 2019). In fact, our review of cases handled last year found that the average paid ransom nearly tripled to $312,493 (from $115,123 in 2019). That\u2019s a staggering increase from 2016, when the majority of transactions were between $200 and $500.<\/p>\n<h2><a id=\"post-128252-_3udrjepdjx99\"><\/a>How the Ransomware Threat Grew<\/h2>\n<p>What happened? Ransomware attacks evolved from \u201cspray and pray\u201d campaigns that sought flat rates to restore access to encrypted systems. Attackers saw potential for massive profit growth and began demanding higher ransoms from targeted attacks on industries and organizations whose operations were most vulnerable to systems outages or data loss.<\/p>\n<p>Healthcare emerged as the most popular target. Last year, one in five ransomware cases we investigated involved providers that depend on computers to treat patients. In October, the U.S. government warned hospitals, which<s> <\/s>were already struggling due to COVID, that they were being targeted by <a href=\"https:\/\/unit42.paloaltonetworks.com\/ryuk-ransomware\/\">Ryuk<\/a>, one of the pieces of malware covered in our report.<\/p>\n<p>Attackers got greedier, richer and more technically savvy and invested profits into R&amp;D, developing the scale and hacking techniques that enable them to move at lightning speed to exploit new vulnerabilities.<\/p>\n<p>As soon as Microsoft released <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2021\/03\/patching-microsoft-exchange-servers\/\">security patches<\/a> on March 2 to plug <a href=\"https:\/\/unit42.paloaltonetworks.com\/microsoft-exchange-server-vulnerabilities\/\">four zero-day vulnerabilities in Exchange Server<\/a>, ransomware enterprises sprung into action. Within a week, Unit 42 observed <a href=\"https:\/\/unit42.paloaltonetworks.com\/dearcry-ransomware\/\">DearCry<\/a> ransomware looking to exploit those vulnerabilities. We encourage all Exchange Server users to patch immediately.<\/p>\n<h2><a id=\"post-128252-_5h76nshbndax\"><\/a>Don\u2019t Panic. The Threat Can Be Mitigated<\/h2>\n<p>Although the recent attacks on SolarWinds and Microsoft Exchange users will go down in history, this report reminds us that ransomware remains <em>the<\/em> most pernicious cyberthreat. Still, Unit 42\u2019s message remains the same as it was five years ago: Don\u2019t panic. There\u2019s lots of help available.<\/p>\n<p>Palo Alto Networks offers a broad portfolio of products and services to help organizations respond to ransomware attacks and <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2021\/03\/exchange-server-new-playbook\/\">prevent new ones<\/a> from occuring in the future. Ryuk, <a href=\"https:\/\/unit42.paloaltonetworks.com\/wastedlocker\/\">WastedLocker<\/a>, <a href=\"https:\/\/unit42.paloaltonetworks.com\/ransomware-threat-assessments\/7\/\">REvil<\/a> and other ransomware operations use targeted attack techniques and worm-like capabilities to infect their targets. We can help block every step of an attack, from delivery to hard-to-detect lateral movement, and then quickly restore compromised hosts if needed.<\/p>\n<p>You can learn more by downloading the <a href=\"https:\/\/start.paloaltonetworks.com\/unit-42-ransomware-threat-report.html\">2021 Unit 42 Ransomware Threat Report<\/a>.<\/p>\n<p><div style=\"max-width:100%\" data-width=\"1587\"><span class=\"ar-custom\" style=\"padding-bottom:53.56%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter size-full wp-image-128267 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2021\/03\/Ransomware-series-21-illustration_blue.png\" alt=\"Conceptual image representing ransomware\" width=\"1587\" height=\"850\" \/><\/span><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The ransomware threat is growing, but it can be mitigated. Get the details in the 2021 Unit 42 Ransomware Threat Report. <\/p>\n","protected":false},"author":663,"featured_media":128253,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[308,6724],"tags":[7529,6669,221,7528,586],"coauthors":[7527],"class_list":["post-128252","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcement","category-points-of-view","tag-crypsis","tag-incident-response","tag-ransomware","tag-ransomware-threat-report","tag-unit-42","net_sec_category-next-generation-firewalls","sec_ops_category-must-read-articles"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2021\/03\/Espionage-r3d1.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/128252","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=128252"}],"version-history":[{"count":4,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/128252\/revisions"}],"predecessor-version":[{"id":128282,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/128252\/revisions\/128282"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/128253"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=128252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=128252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=128252"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=128252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}