Dark web leaks climbed; ransomware payments hit record highs

Ransomware payments hit new records in 2021 as cyber criminals increasingly turned to dark web “leak sites” where the malicious cyber actors pressured victims to pay up by threatening to release sensitive data, according to research released today from Unit 42 by Palo Alto Networks, the global cyber security leader.

The average ransom demand in cases worked by the Palo Alto Networks Unit 42 security consultants rose 144 per cent in 2021 to US$2.2 million, while the average payment climbed 78 per cent to US$541,010, according to The 2022 Unit 42 Ransomware Threat Report.

Ransomware groups are more active than ever, not just globally, but increasingly so right here in Australia, according to Sean Duca, vice-president and regional chief security officer, Palo Alto Networks JAPAC.

“These attacks are no longer limited to specific sectors but hold industries such as critical infrastructure, healthcare, education and energy hostage.

“As Australia becomes increasingly connected to the global community, not only will the number of attacks increase, but the level of extortion will accelerate significantly, and Australian organisations must remain vigilant and well equipped to deal with these security threats,” Duca.

At a glance, Palo Alto Networks’ Unit 42 analysts have observed the following:

Average ransom demand rose 144 per cent to $2.2 million.
Average payment rose 78 per cent percent to $541,010.
Posts on name-and-shame dark web leak sites climbed 85 per cent.
Australia ranks #1 in Asia-Pacific for most ransomware attacks, and #7 globally.
The year 2021 saw a 642 per cent increase in dark web leaks on prior year.
Thirty-seven per cent of all attacks on Australian organisations targeted the commercial and professional services sector.
Thirty-eight of all attacks targeted organisations in NSW; ACT the least targeted geography.

The Conti ransomware group was responsible for the most activity, accounting for more than one in five of cases worked by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, was number two at 7.1 per cent, followed by Hello Kitty and Phobos (4.8 per cent each). Conti also posted the names of 511 organisations on its dark web leak site, the most of any group.

The report describes how the cyber extortion ecosystem grew in 2021, with the emergence of 35 new ransomware gangs. It documents how criminal enterprises invested windfall profits into creating tools that are easier to use in attacks that increasingly leverage zero-day vulnerabilities.

The number of victims whose data was posted on leak sites rose 85 per cent in 2021 to 2,566 organisations, according to Unit 42’s analysis. Sixty per cent of leak site victims were in the Americas, followed by 31 per cent for Europe, the Middle East and Africa, and then 9 per cent in the Asia-Pacific region. The most affected vertical industries were professional and legal services, construction, wholesale and retail, healthcare and manufacturing.

VIEW ALL

The intimidation practice of ransomware operators posting snippets of stolen information on dark web leak sites are designed to pressure victims into making ransom payments, with the practice rapidly rising both globally and in Australia.

In 2021, ransomware attacks interfered with everyday activities that people all over the world take for granted, according to Jen Miller-Osborn, deputy director, Unit 42 Threat Intelligence – further explaining that ransomware affected everything from buying groceries, purchasing fuel for our cars, to calling emergency services and obtaining medical care.

[Related: STG launches Skyhigh Security]