{"id":157448,"date":"2022-03-24T03:00:51","date_gmt":"2022-03-24T10:00:51","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=157448"},"modified":"2022-03-23T15:31:36","modified_gmt":"2022-03-23T22:31:36","slug":"ransomware-trends-demands-dark-web-leak-sites","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2022\/03\/ransomware-trends-demands-dark-web-leak-sites\/","title":{"rendered":"Ransomware Trends: Higher Ransom Demands, More Extortion Tactics"},"content":{"rendered":"

Today, as we publish our 2022 Unit 42 Ransomware Threat Report<\/a>, we\u2019re once again reporting that payments hit new records as cybercriminals increasingly turned to dark web \u201cleak sites\u201d where they pressured victims to pay up by threatening to release sensitive data.<\/p>\n

A year ago, Unit 42 released its 2021 Unit 42 Ransomware Threat Report<\/a>, which documented how cybercriminals had used the windfall profits generated from cyber extortion to transform themselves into massive criminal enterprises, some with near-nation state cyber capabilities. We warned<\/a> that cyber extortion had reached crisis levels due to the wild success of a criminal business model known as ransomware as a service (RaaS)<\/a>.<\/p>\n

 <\/p>\n

<\/a>Ransomware Groups and Trends in Demands and Payments<\/h2>\n

The average ransom demand in cases worked by Palo Alto Networks Unit 42 security consultants rose 144% in 2021 to $2.2 million, while the average payment climbed 78% to $541,010.<\/p>\n

\"Average<\/span><\/div>
Figure 1. Average ransom demands compared to average ransom payments in 2020 and 2021, according to Unit 42 incident response data.<\/figcaption><\/figure>\n

The Conti ransomware group was responsible for the most activity, accounting for more than 1 in 5 cases worked by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, was No. 2 at 7.1%, followed by Hello Kitty and Phobos (4.8% each).<\/p>\n

\"Top<\/span><\/div>
Figure 2. Top 14 most active ransomware variants in 2021 \u2013 according to Unit 42 incident response data.<\/figcaption><\/figure>\n

 <\/p>\n

<\/a>Dark Web Leak Sites and DDoS \u2013 Double and Multi-Extortion<\/h2>\n

For years, the main threat from ransomware has been that it would encrypt data on computers, making it impossible for organizations to use them to manage operations and retrieve critical information. That approach continued last year in some high-profile attacks that interfered with everyday activities that people all over the world take for granted \u2013 everything from buying groceries and purchasing gasoline for our cars to calling for emergency services and obtaining medical care.<\/p>\n

But threat actors have evolved their techniques in recent years to include additional ways to coerce their victims into paying ransoms.<\/p>\n

For example, in addition to holding data and access hostage, some ransomware groups engage in double extortion by using dark web leak sites to threaten to release sensitive information to the public. Some groups engage in further pressure tactics \u2013 they harass customers, bring down external websites or cause other harm.<\/p>\n

That trend, known as multi-extortion, surged in 2021. The number of victims whose data was posted on those leak sites rose 85% in 2021 to 2,566 organizations, according to Unit 42\u2019s analysis. 60% of leak site victims were in the Americas, followed by 31% for Europe, the Middle East and Africa, and then 9% in the Asia Pacific region. The most affected industries were Professional and Legal Services, Construction, Wholesale and Retail, Healthcare, and Manufacturing.<\/p>\n

 <\/p>\n

<\/a>The 2022 Unit 42 Ransomware Threat Report<\/h2>\n

Our report also documents other key trends<\/a>. It explains how RaaS groups are increasingly leveraging zero-day vulnerabilities to launch attacks, plus making their encryption malware faster and more difficult to defeat. It also describes how they\u2019re using slick marketing campaigns to recruit affiliates and increasingly offering technical support to help victims get back online after they pay their ransoms.<\/p>\n

Finally, the report outlines a series of best practices that organizations can use to address the threat of ransomware \u2013 whether preparing for a possible ransomware attack or facing the impact of an attack that\u2019s already underway.<\/p>\n

Download the full 2022 Unit 42 Ransomware Threat Report<\/a> to learn more, and register to attend the 2022 Unit 42 Ransomware Threat Report Webinar<\/a> live to hear our security experts discuss the key findings in the report.<\/p>\n

 <\/p>\n

<\/a>Get in Touch<\/h2>\n

Want to be prepared for a ransomware attack? Call in the experts.<\/strong><\/p>\n

If you think you may have been impacted by a ransomware attack, please contact Unit 42<\/a> to connect with a team member. If you have cyber insurance, you can request Unit 42 by name. The Unit 42 Incident Response team is available 24\/7\/365. You can also take preventative steps by requesting a Ransomware Readiness Assessment<\/a>.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

The 2022 Unit 42 Ransomware Threat Report documents trends observed in incident response case data and insights gleaned from dark web leak sites.<\/p>\n","protected":false},"author":65,"featured_media":157449,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6724,6717],"tags":[7900,8051,221,7528,586],"coauthors":[704],"class_list":["post-157448","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-points-of-view","category-products-and-services","tag-extortion","tag-raas","tag-ransomware","tag-ransomware-threat-report","tag-unit-42","sec_ops_category-must-read-articles"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2022\/03\/Contemplating.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/157448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=157448"}],"version-history":[{"count":1,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/157448\/revisions"}],"predecessor-version":[{"id":157488,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/157448\/revisions\/157488"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/157449"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=157448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=157448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=157448"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=157448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}