It’s no secret that the sums demanded by ransomware extortionists have become more outrageous over the last three years.
Ransomware started out as a crime against home users, with ransoms in the tens to hundreds of dollars at most.
Then criminals discovered small- and medium-sized businesses, and ransoms shot up into the hundreds of thousands. By the time enterprises started toppling, ransoms reached into the millions, leading to crazy speculation about whether once unthinkable billion-dollar demands could be in our future.
Certainly, evidence for spiraling ransom inflation isn’t hard to find, with the recent attack on TransUnion South Africa by Brazilian threat group N4ughtysecTU resulting in a reported $15 million demand. This sort of number is now commonplace for the biggest attacks.
Of course, what matters isn’t how much attackers ask for, but how much they get paid, both on average as well as the maximum payouts. Unfortunately, on that score things don’t look terribly positive either.
Officially, the record ransom is the $40 million insurer CNA Financial paid out in March 2021, ahead of the $11 million meat processor JBS paid attackers only weeks later. When you consider that the attackers demanded $60 million from CNA, perhaps the company saw what it paid as getting off lightly.
Meanwhile, according to Palo Alto’s Unit 42, the average ransom demand in 2021 was $2.2 million, a 144% rise compared to the previous year’s $906,000. The average payment was $541,000, up from $304,000.
Clearly, as one might expect, payouts are much lower than demands. Some victims refuse to pay while others pay but negotiate the price down. But what is driving the consistent rise in demands, which edges up payments? Presumably, there must be a ceiling on these, even if we’ve not reached that point yet.
If the Unit 42 report offers any clues, the biggest is simply the success of a small number of very brazen groups which set the industry standards.
For example, an extraordinary one in five of all attacks tracked by Unit 42 was the handiwork of a single group, Conti, with REvil accounting for 7%, followed by Hello Kitty and Phobos at around 4% each. This sort of activity suggests Conti’s claim on its dark web site to have breached 511 organizations wasn’t a bluff.
Indeed, the tactic of naming and shaming breached companies has become standard operating procedure, with 2,566 organizations having proof of compromise data posted on public sites during 2021—an 85% increase in 2020.
One effect of the inflation in ransom demands is that it is increasingly cost-effective for victims to hire specialized ransomware negotiators to hack out a discount from the attackers.
Reportedly, in 2021 at least two dozen companies sprang up offering to act as intermediaries, while insurers will also get involved if asked (see Ransomware.org’s recommendations regarding this topic).
Right now, it’s as if each outrageous demand is acting like a ratchet, setting a new ceiling for what gangs think they can get away with. Ironically, when it comes to the cost of ransomware attacks, the headline ransom is probably not the biggest worry. Far bigger are the remediation costs, which now run into millions even for relatively modest attacks, on top of which must be factored reputational, regulatory, and legal costs.
There is plenty of evidence that these costs are rising even more precipitously than ransoms, which raises the disturbing possibility that awareness of the financial damage of an attack might itself be encouraging ransom gangs to up their demands. After all, what self-respecting criminal asks for $1 million when the full cost of the same attack might reach 10 or 20 times that sum? If there’s a note of optimism in this, it’s that this should work against the possibility of billion-dollar ransoms: as cleanup costs soar, no organization could possibly afford it.