* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/)
* The Ransomware Threat: Bi...

# The Ransomware Threat: Bigger, Greedier, Attacking the Most Vulnerable

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2021%2F03%2Fransomware-threat%2F)  
[](https://twitter.com/share?text=The+Ransomware+Threat%3A+Bigger%2C+Greedier%2C+Attacking+the+Most+Vulnerable&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2021%2F03%2Fransomware-threat%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2021%2F03%2Fransomware-threat%2F&title=The+Ransomware+Threat%3A+Bigger%2C+Greedier%2C+Attacking+the+Most+Vulnerable&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2021/03/ransomware-threat/&ts=markdown)  
\[\](mailto:?subject=The Ransomware Threat: Bigger, Greedier, Attacking the Most Vulnerable)  
Link copied  
By [Wendi Whitmore](https://www.paloaltonetworks.com/blog/author/wendi-whitmore/?ts=markdown "Posts by Wendi Whitmore")  
Mar 17, 2021  
3 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[crypsis](https://www.paloaltonetworks.com/blog/tag/crypsis/?ts=markdown)  
[Incident Response](https://www.paloaltonetworks.com/blog/tag/incident-response/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)  
[ransomware threat report](https://www.paloaltonetworks.com/blog/tag/ransomware-threat-report/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www.paloaltonetworks.com/blog/2021/03/ransomware-threat/?lang=ja "Switch to Japanese(日本語)")

Five years ago, our Unit 42 global threat intelligence team released a [threat report](https://unit42.paloaltonetworks.com/unit-42-ransomware-trends/)warning that ransomware was quickly becoming one of the greatest cyberthreats facing organizations. Calling ransomware a "criminal business model" that attackers had spent many years perfecting, the report detailed ransom demands of "well over $10,000" -- predicting that those demands would only grow higher.

Sadly, we were right. Today, we released the [2021 Unit 42 Ransomware Threat Report](https://start.paloaltonetworks.com/unit-42-ransomware-threat-report.html). Using data from Unit 42, as well as from our Crypsis incident response team, the report details a disturbing new watershed: Cyber extortion has reached crisis levels as cybercriminal enterprises have flourished, obtaining capabilities that rival those of nation-states.

The highest ransomware demand we observed surged to $30 million in 2020 (from $15 million in 2019). In fact, our review of cases handled last year found that the average paid ransom nearly tripled to $312,493 (from $115,123 in 2019). That's a staggering increase from 2016, when the majority of transactions were between $200 and $500.

## How the Ransomware Threat Grew

What happened? Ransomware attacks evolved from "spray and pray" campaigns that sought flat rates to restore access to encrypted systems. Attackers saw potential for massive profit growth and began demanding higher ransoms from targeted attacks on industries and organizations whose operations were most vulnerable to systems outages or data loss.

Healthcare emerged as the most popular target. Last year, one in five ransomware cases we investigated involved providers that depend on computers to treat patients. In October, the U.S. government warned hospitals, which were already struggling due to COVID, that they were being targeted by [Ryuk](https://unit42.paloaltonetworks.com/ryuk-ransomware/), one of the pieces of malware covered in our report.

Attackers got greedier, richer and more technically savvy and invested profits into R\&D, developing the scale and hacking techniques that enable them to move at lightning speed to exploit new vulnerabilities.

As soon as Microsoft released [security patches](https://www.paloaltonetworks.com/blog/2021/03/patching-microsoft-exchange-servers/?ts=markdown) on March 2 to plug [four zero-day vulnerabilities in Exchange Server](https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/), ransomware enterprises sprung into action. Within a week, Unit 42 observed [DearCry](https://unit42.paloaltonetworks.com/dearcry-ransomware/) ransomware looking to exploit those vulnerabilities. We encourage all Exchange Server users to patch immediately.

## Don't Panic. The Threat Can Be Mitigated

Although the recent attacks on SolarWinds and Microsoft Exchange users will go down in history, this report reminds us that ransomware remains *the* most pernicious cyberthreat. Still, Unit 42's message remains the same as it was five years ago: Don't panic. There's lots of help available.

Palo Alto Networks offers a broad portfolio of products and services to help organizations respond to ransomware attacks and [prevent new ones](https://www.paloaltonetworks.com/blog/2021/03/exchange-server-new-playbook/?ts=markdown) from occuring in the future. Ryuk, [WastedLocker](https://unit42.paloaltonetworks.com/wastedlocker/), [REvil](https://unit42.paloaltonetworks.com/ransomware-threat-assessments/7/) and other ransomware operations use targeted attack techniques and worm-like capabilities to infect their targets. We can help block every step of an attack, from delivery to hard-to-detect lateral movement, and then quickly restore compromised hosts if needed.

You can learn more by downloading the [2021 Unit 42 Ransomware Threat Report](https://start.paloaltonetworks.com/unit-42-ransomware-threat-report.html).

![Conceptual image representing ransomware](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/Ransomware-series-21-illustration_blue.png)

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Extortion Payments Hit New Records as Ransomware Crisis Intensifies](https://www.paloaltonetworks.com/blog/2021/08/ransomware-crisis/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Today's Cyberthreats: Ransomware, BEC Continue to Disrupt](https://www.paloaltonetworks.com/blog/2022/07/cyberthreats-incident-response-report/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Ransomware Trends: Higher Ransom Demands, More Extortion Tactics](https://www.paloaltonetworks.com/blog/2022/03/ransomware-trends-demands-dark-web-leak-sites/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Healthcare Organizations Are the Top Target for Ransomware Attackers](https://www.paloaltonetworks.com/blog/2021/08/healthcare-organizations-are-the-top-target/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Unit 42 and Crypsis Combine to Offer Threat Intel, Incident Response](https://www.paloaltonetworks.com/blog/2021/04/threat-intelligence-and-incident-response/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### More on the PAN-OS CVE-2024-3400](https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language