The average ransom demand in 2021 was $247,000, 45% more than the previous year, with most threat actors trying to force payment via double extortion tactics, according to Group-IB.
The security vendor’s Ransomware Uncovered 2021/2022 report was compiled from an analysis of over 700 investigations undertaken by its incident response team.
It claimed the continued rise of ransomware is down to the proliferation of initial access brokers and ransomware-as-a-service offerings on the dark web.
The report argued that more sophisticated threats made it harder for victims to recover: the average downtime from an attack rose from 18 to 22 days year-on-year.
However, on the plus side, attacker dwell time fell from 13 days to nine over the same period. That limits the time in which threat actors have to move laterally within networks, steal data and deploy their ransomware payload.
Data theft and threatened leakage were used in 63% of attacks last year as a method of forcing payment, Group-IB said.
Lockbit, Conti and Pysa were the most aggressive in posting data to leak sites. However, it was two newcomers, Hive and Grief, that caught the eye – making it on the top 10 list of ransomware gangs by number of victims posted to leak sites.
The former demanded an outrageous $240m ransom from MediaMarkt, the largest of the year and of all time.
Grief was actually a rebrand from DoppelPaymer, an increasingly popular tactic for threat actors keen to avoid sanctions and scrutiny from investigators.
“Given multiple rebrands forced by law enforcement actions as well as the merging of TTPs due to the constant migration of affiliates from one ransomware-as-a-service (RaaS) program to another, it is becoming increasingly challenging for security professionals to keep track of the ever-evolving tactics and tools of ransomware threat actors,” warned the head of Group-IB’s data forensics and incident response team, Oleg Skulkin.
Remote desktop protocol (RDP) remains the top vector for attacks (47%), followed by phishing (26%). More attacks were facilitated by exploits of public-facing applications last year (21%) than in 2020 (17%).