Unit 42: Ransomware demands we're aware of averaged $2.2m last year

Conti, REvil declared most active criminal gangs


The average ransom demand hit $2.2 million in 2021, a 144 percent rise from the year prior, according to Palo Alto Networks' Unit 42 consultants, while the average ransom payment grew 78 percent to $541,010.

The research and consultancy outfit latest ransomware report, issued this week, pulls data from cases handled by Unit 42 along with analysis of ransomware gangs' leak sites. 

These findings, combined with another ransomware report released this week from the US Senate Homeland Security and Governmental Affairs Committee, paints a disturbing picture of cyber criminals' increasingly brazen tactics, and how difficult it is for organizations of all sizes to defend themselves.

And while almost no country or industry escaped unscathed in 2021, some regions and sectors were hit harder than others. Unit 42's ransomware leak site analysis identified the Americas as home to most of the organizations that experienced an attack, some 60 percent, compared to 31 percent in Europe, the Middle East and Africa, and nine percent in the Asia-Pacific region.

The infosec team also found professional and legal services (1,100) and construction (600) firms names most frequently on leak sites.

"As these ransomware gangs and RaaS operators find new ways to remove technical barriers and up the ante, ransomware will continue to challenge organizations of all sizes in 2022," warned Ryan Olson, VP of threat intelligence for Unit 42, in a forward to his organization's report.

But first, a look back on 2021. 

More multi-extortion to come

While double extortion became more common in 2020 — this is where cyber criminals not only encrypt files and demand victims pay a ransom to regain access to those documents, they also steal the data to publicly leak if the money isn't paid — "ransomware gangs took these tactic to a new level" in 2021, according to the report. 

"For example, we've seen gangs make threatening phone calls to employees and customers and launch denial of service (DoS) attacks to shut down a victim's website in an effort to incentivize payments," Olson wrote.

In all, Unit 42 saw the names and proof of compromise for 2,566 victims posted to leak sites last year, representing an 85 percent spike from 2020. "Be prepared to see more multi-extortion attack tactics in 2022 and beyond," the report warned.

Further analysis of leak sites revealed that Conti, with 511, bragged about the most breaches in 2021. LockBit 2.0 came in second place with 406. 

A new ransomware-as-a-service operations BlackCat, which other threat hunting teams have linked to the BlackMatter/DarkSide ransomware ring, began using "triple extortion attacks," according to the report, first stealing an organization's data, then deploying ransomware and threatening to leak the information, and then launching a DDoS attack if the ransom isn't paid.

BlackCat is also notable for its "meteoric rise," according to Unit 42. The security shop reported that just one month after appearing on the scene in November 2021, this criminal group already claimed the seventh-largest number of victims on their leak site. It targets primarily US companies, and lets its affiliates keep 80 percent to 90 percent of the ransom, with the remainder going to BlackCat.

According to Unit 42, BlackCat ransomware is also "one of the first, if not the first" to use the Rust programming language.

Conti, REvil most active criminal gangs

Meanwhile, Russia-based Conti displaced REvil as the most active gang in 2021, based on security incidents that Unit 42 responded to last year. Conti's average ransom demand came in at $1.78m, and their top payment request was $3m. Since 2020, this cyber-crime ring has leaked data belonging to more than 600 organizations, according to the report.

Conti was also quick to exploit known vulns, like ProxyShell and Log4j, and use these as their initial vectors to carry out ransomware attacks. 

This use of zero-days is something that Unit 42 expects to see more of in 2022. "We believe threat actors are increasingly tracking high-profile vulnerabilities and exploiting them to gain an initial foothold in an organization," the report authors wrote. "The timeframe from vulnerability to exploit is getting shorter — it can practically coincide with the reveal if the vulnerabilities themselves and the access that can be achieved by exploiting them are significant enough."

Another Russian cyber-crime ring, REvil, was the second most active gang in 2021, based on Unit 42 incident response data. The group's initial demand averaged about $2.2m and its highest demand hit $5.4m — both increases from 2020. "The size of specific ransoms depended on the size of the organization and type of data stolen," according to the report. "Further, when victims failed to meet deadlines for making payments via Bitcoin, the attackers often doubled the demand."

A second report [PDF] released this week, this one from the US Senate Homeland Security and Governmental Affairs Committee, also documents REvil attacks on three American companies. And it found the federal government's response to these incidents sorely lacking. The document doesn't name the three companies, all of which reported the attacks to law enforcement, and instead refers to them as entities A, B, and C:

Entity A is a global multi-sector Fortune 500 company with roughly 100,000 employees. Entity B is a global manufacturing company with several thousand employees. Entity C is a technology firm with only 50 employees.

Entity A, which has a 200-person security team and spends about 10 percent of its overall IT budget on security, hired Microsoft's incident response team after REvil demanded a $70 million ransom, which the report says it did not pay. It took about a week to kick REvil off its network. The company said it would have taken a lot longer to recover from the attack without its "vast resources and robust backups." 

Keystone cops?

Additionally, "Entity A found the FBI to be unhelpful throughout the process," according to the report. The firm asked the FBI for guidance, and says it didn't receive any "helpful assistance." 

As an example: the FBI hostage negotiator seemed to have little experience responding to ransomware attacks. Additionally, "Entity A indicated the FBI prioritized investigating those responsible for the attack over helping Entity A respond and secure its network — the top priority for Entity A."

Entity A also said it wished it could have shared more information about REvil and the attack with other companies without being penalized under current laws.

The second company, a manufacturing firm the report calls Entity B, also did not pay the ransom and says it took about a month to assess the full scope of the breach and how much data REvil had stolen. This firm hired an incident response team, outside attorneys, and a ransom negotiator to help it recover. It also had cyber insurance, but notes that its "premiums rose substantially after the breach."

While not as damning as entity A's depiction of the FBI's response, entity B "recalled there was no 'here's a playbook' discussions with the FBI regarding how to best respond," the report noted.

IT firm Entity C was the smallest of the three to experience a ransomware attack, and after contacting federal officials said it preferred to respond to the attack on its own. 

While this company found the agencies "helpful," the report also noted that "Entity C found the federal government's response teams were caught off guard by the idea that a group or entity would launch attacks like this on such a large scale in such a small time frame."

The Senate committee recommends that companies take steps to make it more difficult and costly for ransomware gangs to breach their networks. This includes security basics like patching vulnerabilities, using multi-factor authentication, keeping device and software inventories, requiring employees use complex passwords, maintaining offline backups, and encrypting sensitive data.

And it also calls on the FBI and CISA to work more closely to share information and do more to help ransomware victims recover their data and mitigate damages. 

"The Biden administration should work quickly to implement my recently enacted bipartisan Cyber Incident Reporting Act," the committee's ranking member, Sen. Rob Portman, R-Ohio, said in a statement. "This law will help prevent future cyberattacks by facilitating increased information sharing and enhance the federal government's cyber defense and investigative capabilities." ® 


Other stories you might like

  • If you didn't store valuable data, ransomware would become impotent
    Start by pondering if customers could store their own info and provide access

    Column Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil".

    Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of endless bounty, its intrinsic value remains difficult to define.

    That's a problem, because what cannot be valued cannot be insured. A decade ago, insurers started looking at offering policies to insure data against loss. But in the absence of any methodology for valuing that data, the idea quickly landed in the "too hard" basket.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022