Healthcare organisations were most targeted while the rise of ’double extortion’ has fuelled ransomware losses

Average ransomware payments rose by 171% between 2019 and 2020, according to Palo Alto Network’s 2021 Unit 42 Ransomware Threat Report.

The average ransom paid for organisations increased from $115,123 in 2019 to $312,493 in 2020. Additionally, the highest ransom paid by an organisation doubled from 2019 to 2020, from $5 million to $10 million.

Meanwhile, cybercriminals are getting greedy. From 2015 to 2019, the highest ransomware demand was $15 million. In 2020, the highest ransomware demand grew to $30 million.

Of note, Maze ransom demands in 2020 averaged $4.8 million, a significant increase compared to the average of $847,344 across all ransomware families in 2020. Cybercriminals know they can make money with ransomware and are continuing to get bolder with their demands, according to the report’s experts.

Healthcare organisations in the crosshairs

The world changed with COVID-19, and ransomware operators took advantage of the pandemic to prey on organisations – particularly the healthcare sector, which was the most targeted vertical for ransomware in 2020.

Ransomware operators were brazen in their attacks in an attempt to make as much money as possible, knowing that healthcare organisations – which needed to continue operating to treat COVID-19 patients and help save lives – couldn’t afford to have their systems locked out and would be more likely to pay a ransom.

Ryuk ransomware stood out from the pack. In October 2020, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS), warning healthcare organisations against Ryuk attacks.

Rise of double extortion

A common ransomware attack consists of the ransomware operator encrypting data and forcing the victim to pay a ransom to unlock it. In a case of double extortion, ransomware operators encrypt and steal data to further coerce a victim into paying a ransom. If the victim doesn’t pay the ransom, the ransomware operators then leak the data on a leak site or dark web domain, with the majority of leak sites hosted on the dark web. These hosting locations are created and managed by the ransomware operators. At least 16 different ransomware variants are now threatening to expose data or utilising leak sites, and more variants will likely continue this trend.

The ransomware family that leveraged this tactic the most was NetWalker. From January 2020 to January 2021, NetWalker leaked data from 113 victim organisations globally, far surpassing other ransomware families. RagnarLocker was second, leaking data from 26 victims globally. 

Steps to Reduce Ransomware Exposure

The report recommends organisations take the following steps to protect themselves against ransomware attacks:

Initial Access

Initial access is relatively consistent across all ransomware variants. Organisations should maintain user awareness and training for email security as well as consider ways to identify and remediate malicious email as soon as it enters an employee’s mailbox.

Organisations should also ensure they conduct proper patch management and review which services may be exposed to the internet. Remote desktop services should be correctly configured and secured, using the principle of least privilege wherever possible, with a policy in place to detect patterns associated with brute-force attacks.

Backup and Recovery Process

Organisations should continue to back up their data and keep an appropriate recovery process in place. Ransomware operators will target on-site backups for encryption, so organisations should ensure that all backups are maintained securely offline.

Recovery processes must be implemented and rehearsed with critical stakeholders to minimise downtime and cost to the organisation in the event of a ransomware attack.

Security Controls

The most effective forms of protection from ransomware are endpoint security, URL filtering or web protection, advanced threat prevention (unknown threats/sandboxing) and anti-phishing solutions deployed to all enterprise environments and devices.

While these will not outright guarantee prevention, they will drastically reduce the risk of infection from common variants and provide stopgap measures, allowing one technology to offer a line of enforcement when another may not be effective.