Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM

Ransom Payments Have Nearly Tripled

In 2020, ransomware targeted the manufacturing sector, healthcare organizations, and construction companies, with the average ransom reaching $312,000, a report finds.

Ransomware gangs aimed to bilk business victims of even more money in 2020, causing the average ransom paid by companies to jump 171% to more than $312,000.

A new report from Palo Alto Networks -- which uses data from ransomware investigations, data-leak sites, and the Dark Web — found 337 victims in 56 industries, with manufacturing, healthcare, and construction companies suffering 39% of ransomware attacks in 2020. In addition, ransom demands skyrocketed during the year, doubling both the highest ransom demand — to $30 million—and the highest-known paid ransom, $10 million. The average victim paid more than $312,000, almost a third of the average demand.

Related Content:

Manufacturing Sees Rising Ransomware Threat

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

The ransoms will likely continue to rise this year, because the ransomware groups are innovating to stay ahead of defenders, says Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks' Unit 42 threat research group.

"The attackers will continue to evolve, and figure out new ways to make money," she says, adding that "it is a totally different [threat] landscape, especially in the last year or so, where we have seen the amount of ransoms double."

Other research has documented similar surges in ransomware payments. In January, blockchain analysis company Chainalysis found that ransoms paid using cryptocurrency surged 311% in 2020 and approached a grand total of $350 million. However, by the end of the year, ransomware payments had begun to decline, seemingly due to a lack of confidence on the part of the victims that attackers would help them recover their data and delete any stolen copies, according to research by Coveware.

The Palo Alto report combines two sources of the threat intelligence: 252 incidents investigated by the company's data-breach response service over the past two years, and a survey of public leak sites and the Dark Web. 

Almost two thirds of the incident response cases investigated by the company came in one of four industries in 2020: healthcare, manufacturing, information technology, or construction. The number of information technology investigations surged to 34, from 20 in 2019, possibly because of the pandemic, the company said in the report.

"As organizations shifted to remote workforces due to the COVID-19 pandemic, ransomware operators adapted their tactics accordingly, including the use of malicious emails containing pandemic-based subjects and even malicious mobile apps claiming to offer information about the virus," the company stated.

'Double Extortion'

Attackers will continue to improve their techniques in 2020 as they seek to stay ahead of defenders. In 2020, security researchers saw widespread adoption of the "double extortion" attack, where ransomware groups steal data and then encrypt systems before posting a ransom note. If the victim decided to recover from backups, then the attacker would publicly release the stolen data, publishing the victim's secrets on the Internet.

This type of advanced is a direct reaction to improved defenses, says Miller-Osborn.

"More organizations had gone to the point with their backups where, if they were impacted by ransomware, they could just tell the bad guys to go pound sand," she says. "To get around that, groups started pre-encrypting the data and exfiltrating it, so they had a secondary threat."

Among the hundreds of victims whose data was posted by ransomware gangs on data-leak sites, the top-5 industries were manufacturing, legal services, construction, high-technology, and retail, which accounted for 179 breaches, more than 70% of those identified. While the average ransom demand almost reached $847,000, companies typically paid much less, about $312,000, according to the report. 

Cleaning up ransomware is not cheap with the average cost of a forensic engagement exceeding $73,000 for enterprises and topping $40,000 for small and medium businesses.

Same Story, Different Chapter

The report is not the first to point out the increase in ransomware in the last year. A variety of datasets collected by other security companies have highlighted the trend, and the increase in double-extortion attacks, over the past year. 

While companies can detect and stop ransomware attacks before they cause business-operations problems, solving the ransomware problems will require cooperation on a grand scale, says Miller-Osborn.

"More of the private sector folk [need to] work more with each other, and with law enforcement, to do more takedowns, to do more identification of the people behind these things to get them arrested, to push financial sanctions against entities if we can't get people arrested," she says. "We need to force these things to where there are real world consequences in effect, and force [attackers] so they have trouble keeping their infrastructure operating and suffer impact to their bottom line."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).