Average Ransom Payment Up 71% This Year, Approaches $1 Million

by Palo Alto
Friday, August 5th, 2022

With the recent release of the 2022 Unit 42 Ransomware Threat Report, we thought it would be a good time to take a quick look at ransomware activity that we’ve seen so far in 2022.

The numbers are startling: The average ransomware payment in cases worked by Unit 42 incident responders rose to $925,162 during the first five months of 2022, approaching the unprecedented $1 million mark as they rose 71% from last year. That’s before additional costs incurred by victims including remediation expenses, downtime, reputational harm and other damages.

Those costs are staggering when you consider the trajectory of their growth. The average ransom payment in cases worked by our consultants in 2020 was about $300,000. It’s hard to believe that the majority of transactions seen by our incident responders were $500 or less in 2016.

Details of about seven new victims on average are posted each day on the dark web leak sites that ransomware gangs use to coerce victims into paying ransoms. Called “double extortion,” the technique increases pressure on victims by adding a layer of public humiliation to the difficulty of losing access to files – identifying victims and sharing purported snippets of sensitive data stolen from their networks. The rate of double extortion we’ve observed translates into one new victim every three to four hours, according to Unit 42’s ongoing analysis of leak site data.

The cyber extortion crisis continues because cybercriminals have been relentless in their introduction of increasingly sophisticated attack tools, extortion techniques and marketing campaigns that have fueled this unprecedented, global digital crime spree. Their ransomware-as-a-service (RaaS) business model has at the same time lowered the technical bar for entry by making these powerful tools accessible to wannabe cyber extortionists with easy-to-use interfaces and online support.

The results can be devastating: Costa Rica’s government has suffered multiple ransomware attacks this year, including one in May that disrupted delivery of healthcare services. The 157-year-old Lincoln College shut down last month after a ransomware attack cut access to all university data, disrupting admissions for Fall 2022 – a cruel blow to an institution already seeking to recover from the pandemic.

This year’s growth in payments was pushed up by two multi-million-dollar ransoms – one to a rising group, Quantum Locker, and one to LockBit 2.0, which has been this year’s most active ransomware gang on double-extortion leak sites to date. Unfortunately, we have no reason to believe that extortion groups will stop seeking multi-million dollar payments – particularly in cases where organizations could be put out of business if they don’t pay up.

It seems no one is immune to ransomware attacks – organizations in almost every country and industry were targeted in 2021. Our analysis of ransomware leak sites identified the Americas region as the most impacted – 60% of the victims listed were attributed to this region, while 31% and 9% were attributed to the Europe, Middle East, and Africa (EMEA) and Asia Pacific regions respectively. Professional and Legal Services, followed by Construction, were the most targeted sectors, with 1,100 and 600 victims respectively named on leak sites.

Regions Affected by Ransomware, 2020
Leak site data

Figure 1

When we look for trends by country rather than region, the United States was the most severely impacted by data breaches, with U.S. organizations accounting for 49% of the leak site data, followed by Canada and the United Kingdom, accounting for 5% each. Since many ransomware threat actors are highly financially motivated, they often focus on profitable organizations in the United States. That said, ransomware is a global issue; we have observed at least one victim impacted in more than 90 different countries.

Top Countries Impacted by Ransomware
Based on the number of victim organizations within each coundry

Figure 1

To read more insights on ransomware and learn how to protect against it – gathered from our firsthand knowledge of incident response cases as well as our ongoing monitoring of dark web leak sites – download the 2022 Unit 42 Ransomware Threat Report.