Ransomware demands shot up in 2020, with new research revealing businesses paid an average of $312,493 to retrieve data and unlock systems compromised by cybercriminals. As attacks become increasingly complex, companies are having to guard against double threat extortions, which can lead to sensitive information being posted online.

The analysis, carried out by Unit 42, the research division of security firm Palo Alto Networks, assessed threat data from a range of platforms. It found that the average ransom payment made by companies increased 171% in 2020, up from $115,123 in 2019 to $312,493 last year. Ransomware accounted for 18% of the 878 cyberattacks recorded in 2020 by the Identity Theft Resource Centre.

double extortion ransomware
Ransomware attacks are becoming increasingly complex. (Photo by Angela Allen/Shutterstock)

In ransomware attacks, criminals break into the victim’s network, often via a phishing attack or by exploiting a known vulnerability. Once inside they steal or encrypt data, and demand a ransom that must be paid before the encryption is removed and the data is returned.

Businesses are acutely aware of the severity of the threat they’re facing. “Ransomware has been the flavour of the year,” Álvaro Garrido, chief security officer at Spanish bank BBVA, told Tech Monitor last month. “The motivations of criminals are changing, because if they can deploy their malware and encrypt an entire company they can bring that company down. The stakes are so high that we can’t afford any mistakes.” Indeed, personal fitness giant Garmin was left counting the cost of a ransomware attack last August, paying a large ransom, thought to be up to $10m, to recover user data that had been stolen.

Ransomware attacks in 2020: changing tactics

Criminals are starting to make their ransomware attacks much more targeted, according to Ryan Olson, vice-president for Unit 42 at Palo Alto Networks, who says attackers are moving away from the ‘spray and pay’ model of indiscriminately targeting organisations in the hope of finding a vulnerability to exploit. “Ransomware operators are now playing a longer game,” he says. “Some operators employ advanced intrusion techniques and have large teams with the capacity to take their time to get to know the victims and their networks, and potentially cause more damage, which enables them to demand and get increasingly higher ransoms.”

This attention to detail can come right down to the time at which an attack is committed. “A trend we’ve seen over the last 18 months is for criminals to do most of their work outside normal office hours, in evenings at weekends or on bank holidays,” says Max Heinemeyer, director of threat hunting at UK cybersecurity business Darktrace. “They might get the keys to the kingdom – the domain controller – on a Friday afternoon, work through until Sunday, then encrypt on Sunday night. They do this to reduce the response and reaction time from the ‘blue team’, the defenders.”

The attacks that criminals use to access their victims’ systems are evolving all the time. Last week saw the first reports of DearCry, a malware being used to take advantage of the Microsoft Exchange server vulnerability and launch ransomware attacks. “Once the vulnerability was discovered, it was only a matter of time before more threat actors started to take advantage of it,” says Eli Salem, lead threat hunter at Cybereason, who has been tracking DearCry’s progress.

The growing threat of double extortion ransomware

Unit 42’s analysis also highlights the growing prevalence of ‘double extortion’ ransomware attacks, in which data is not only encrypted but also posted online in a bid to convince the victim to pay up. “They scramble your data so you cannot access it and your computers stop working,” Unit 42’s Olson explains. “Then, they steal data and threaten to post it publicly.”

“We saw a big increase in multiple extortion during 2020,” he says. “At least 16 different ransomware variants now steal data and threaten to post it. The UK was fourth-highest in our list of countries where victim organisations had their data published on leak sites in the last year.”

Victims of Netwalker ransomware are most likely to have their data exposed according to Unit 42’s research, which shows 113 organisations had data posted on leak sites as a result of Netwalker breaches. Its most high-profile victim in the last year was Michigan State University in the US.

Attackers are also using the threat of DDoS attack to extort ransoms from their victims, Olson adds. This was a preferred technique by the criminal gang behind the Avaddon malware.

The future of ransomware and what to do about it

Launching ransomware attacks became much easier in recent years due to malware as a service, in which criminal gangs rent access to malware and the technical expertise required to use it. Darktrace’s Heinemeyer predicts that increased use of AI by criminals will extend the scale of their attack while making them harder to thwart.

“A zero day like the Exchange vulnerability theoretically gives a threat actor access to thousands of environments,” he says. “The only thing that stops them making money from all of these is the amount of human hackers at their disposal.” AI could be used by criminal gangs to automatically locate and encrypt data, making it easier for them to scale their operations. “We already use AI on the defensive side, and we’re starting to see it deployed by criminals,” Heinemeyer says. “[For hackers], the Exchange vulnerability is like shooting fish in a barrel. At the moment, they just have a crossbow to shoot with, but with automation they’re getting a machine gun.”

For businesses looking to reduce the risk of falling victim to ransomware attackers, Unit 42’s Olson says following cybersecurity best practice – backing-up data, rehearsing recovery processes to minimise downtime in the event of an attack, and training employees to spot and report malicious emails, is essential. He adds: “Having the right security controls in place will drastically reduce the risk of infection. These include technologies such as endpoint security, URL filtering, advanced threat prevention, and anti-phishing solutions deployed to all enterprise environments and devices.”