Average Ransom Payment Up 71% This Year, Approaches $1 Million

This post is also available in: 日本語 (Japanese)

As thousands of cybersecurity practitioners gather in San Francisco for the annual RSA Conference, we thought it would be a good time to take a quick look at ransomware activity that we’ve seen so far in 2022.

The numbers are startling: The average ransomware payment in cases worked by Unit 42 incident responders rose to $925,162 during the first five months of 2022, approaching the unprecedented $1 million mark as they rose 71% from last year. That’s before additional costs incurred by victims including remediation expenses, downtime, reputational harm and other damages.

Those costs are staggering when you consider the trajectory of their growth. The average ransom payment in cases worked by our consultants in 2020 was about $300,000. It’s hard to believe that the majority of transactions seen by our incident responders were $500 or less in 2016.

Details of about seven new victims on average are posted each day on the dark web leak sites that ransomware gangs use to coerce victims into paying ransoms. Called “double extortion,” the technique increases pressure on victims by adding a layer of public humiliation to the difficulty of losing access to files – identifying victims and sharing purported snippets of sensitive data stolen from their networks. The rate of double extortion we’ve observed translates into one new victim every three to four hours, according to Unit 42’s ongoing analysis of leak site data.

The cyber extortion crisis continues because cybercriminals have been relentless in their introduction of increasingly sophisticated attack tools, extortion techniques and marketing campaigns that have fueled this unprecedented, global digital crime spree. Their ransomware-as-a-service (RaaS) business model has at the same time lowered the technical bar for entry by making these powerful tools accessible to wannabe cyber extortionists with easy-to-use interfaces and online support.

The results can be devastating: Costa Rica’s government has suffered multiple ransomware attacks this year, including one in May that disrupted delivery of healthcare services. The 157-year-old Lincoln College shut down last month after a ransomware attack cut access to all university data, disrupting admissions for Fall 2022 – a cruel blow to an institution already seeking to recover from the pandemic.

This year’s growth in payments was pushed up by two multi-million-dollar ransoms – one to a rising group, Quantum Locker, and one to LockBit 2.0, which has been this year’s most active ransomware gang on double-extortion leak sites to date. Unfortunately, we have no reason to believe that extortion groups will stop seeking multi-million dollar payments – particularly in cases where organizations could be put out of business if they don’t pay up.

To read more insights on ransomware and learn how to protect against it – gathered from our firsthand knowledge of incident response cases as well as our ongoing monitoring of dark web leak sites – download the 2022 Unit 42 Ransomware Threat Report.