Malware, Ransomware

2020 was a golden year for ransomware gangs, with evolving tactics and increasing payouts


Ransomware gangs are evolving their operations at a rapid pace and making off with increasingly large pay days, according to a new report from Palo Alto Networks Unit 42.

Pulling from its own data and Crypsis incident response data around the world, Unit 42 found that the average ransom paid by organizations nearly tripled over the past year, from $115,123 in 2019 to $312,493. High-end ransoms have gone up significantly too. Between 2015 and 2019, the largest-known individual ransom demand was for $15 million. In 2020 groups were demanding as much as $30 million to unlock a victim’s files and systems.

Many of the top trends highlighted in the report track with previously released research: ransom demands and payments are going up, one group after another jumped on the double extortion bandwagon and the pandemic-wracked healthcare sector the most targeted industry.

Jen Miller-Osbourn, deputy director of threat intelligence at Unit 42, told SC Media that what most stood out while looking through the data was the speed at which the overall ransomware ecosystem was able to transform and adapt new ideas. One group would develop a new high-success tactic, technique or procedure and within months (or weeks) it became almost standard practice among other groups.

“The actual rate that [ransomware groups] changed, especially over the past year, was honestly a bit surprising, even though we followed it on a daily basis,” said Miller-Osborn.

By far the most prolific data leaker was Netwalker, the Ransomware-as-a-Service operation which released files and data for 113 different organizations between January 2020 and January 2021. No one else came close: the second most frequent leaker was RagnarLocker with just 26.

However, Netwalker was subject to a coordinated takedown in January 2021, with law enforcement organizations in the U.S. and Bulgaria seizing $454,530 in ransom payments laundered through cryptocurrencies, disrupting or seizing many of the group’s servers, shutting down their dark web communication channel with victims and arresting and charging a Canadian national they authorities claim acted as an affiliate. It was one of a number of coordinated efforts by law enforcement and private companies like Microsoft to disrupt ransomware actors and the tools they rely on, like the Emotet and Trickbot botnets, to carry out their schemes.

The overall success of those operations has varied. Within months of Trickbot’s domains being seized by Microsoft, researchers at Menlo Security found a group using very similar TTPs to target the legal and insurance industries. Meanwhile the Emotet takedown, which included police raids, the seizure of devices and primary and backup C2 infrastructure, as well as the arrest of two individuals, appears to have dealt a critical blow to the botnet’s operations, at least in the short term. Since the January law enforcement actions, the Netwalker’s dark website has been down and inaccessible.

Still, it’s clear that law enforcement officials continue to see such coordinated efforts by the government and private sector as a critical piece of their overall strategy to combat ransomware.

““We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas McQuaid of the Department of Justice’s Criminal Division in January while announcing the Netwalker operation.  “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

The manufacturing and health care sectors continue to get hammered, but there are indications that other industries are feeling the hurt as well. While manufacturing was the industry most likely to see their files and data published on ransomware leak sites, professional and legal services was the second. The legal industry has its own legacy IT problems, reliance on commercial technologies and human error that makes other industries vulnerable to ransomware and other digital attacks. They also house valuable client legal or financial data and have strong reputational incentives to avoid disclosing a breach.

“It makes sense, both that they would be targeted and that we’re probably not seeing it reported publicly, because they would have a lot of potentially sensitive and damaging information that they would definitely not want to lose and that could really affect their business,” said Miller-Osborn.

The good news: while there are a dizzying array of ransomware groups and malware strains to keep track of, they all mostly use the same vectors to gain initial access to victim networks. By prioritizing the patching and remediation of email systems, as well as vulnerabilities in remote desktop services or that allow for privilege escalation, organizations can significantly cut down on their exposure to ransomware attacks in the future.

While many executives are focused on responding to hacks like the one that hit SolarWinds and dozens of other downstream organizations, Miller-Osborn said it shouldn’t come at the expense of ignoring the very achievable gains that can be made with regard to ransomware.

“Yes [more sophisticated campaigns] are something to be aware of, but if you aren’t able to stop ransomware from getting in your environment, perhaps that needs to be the focus first.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.