Double extortion ransomware pushes average payments close to $1 million

The average ransomware payment has risen 71% this year and is close to reaching $1 million, experts have said.

In ransomware cases that have been assisted by incident responders at cyber security company Unit 42 of Palo Alto Networks, the average ransom paid was $925,162 in the first five months of 2022.

This represents a steep and “startling” rise from figures of previous years when average ransom payments were $541,009 and $303,756 in 2021 and 2020 respectively, said Ryan Olson, vice president of threat intelligence at Unit 42 in a blog post.

As recently as 2016, the company’s incident responders were seeing payments of just $500, and the rise of double extortion models has placed added pressure on organisations to pay ransom demands.

Double extortion ransomware has become a popular operational model in recent years as companies are increasingly vigilant to ransomware attacks and are keeping better backups to avoid having to pay ransom demands.

The model sees attackers infecting a corporate network with ransomware, locking users out of machines as usual, but exfiltrates sensitive data before the infection chain begins, threatening to leak the data if the ransom isn’t paid.

This places additional pressure on companies to maintain their reputation with customers and from a regulatory perspective for companies bound by stringent data protection laws like GDPR.

“Details of about seven new victims on average are posted each day on the dark web leak sites that ransomware gangs use to coerce victims into paying ransoms,” said Olson. “The rate of double extortion we’ve observed translates into one new victim every three to four hours.

“The cyber extortion crisis continues because cybercriminals have been relentless in their introduction of increasingly sophisticated attack tools, extortion techniques and marketing campaigns that have fueled this unprecedented, global digital crime spree,” he added. “Their ransomware-as-a-service (RaaS) business model has at the same time lowered the technical bar for entry by making these powerful tools accessible to wannabe cyber extortionists with easy-to-use interfaces and online support.”

Unit 42 has observed two instances of multi-million-dollar ransoms being paid this year, driven by the success of the Quantum Locker and LockBit 2.0 ransomware operations.

Companies that could be put out of business if they don’t pay the ransom will continue to be targeted, the researcher said, and it’s in these cases where the huge ransom demands will again be issued.

Olson cited Costa Rica as an example of how devastating ransomware can still be in 2022, five years on from WannaCry and six years after the average ransom demand was in the region of $500 - a pittance in today’s threat landscape.

The country has declared a state of emergency after it sustained an attack from the Conti ransomware and has since had a second ransomware gang targeting the country, this time focusing on its health service.

According to a separate report from Digital Shadows, the first quarter of 2022 saw a 25% decrease in ransomware activity compared to the previous quarter.

The company said the decrease in activity could be a result of a less prominent threat of the larger, more organised ransomware groups that have shuttered in recent months, such as REvil and BlackMatter.