2020 was a great year for ransomware, Palo Alto Networks says

A new report from the cybersecurity vendor's Unit 42 research arm found that the average ransom paid nearly more than doubled in 2020.
ransomware infected computer
An IT researchers shows off a computer infected by a ransomware at the LHS (High Security Laboratory) of the INRIA (National Institute for Research in Computer Science and Automation) in Rennes, France, on November 3, 2016. (Damien Meyer / AFP / Getty Images)

Ransomware became more lucrative than ever last year, with the average payment more than doubling as malicious actors continued to target all sectors, especially governments, schools and hospitals, according to research published Wednesday by Palo Alto Networks.

Additionally, tactics like double extortion — in which a ransomware victims’ data was both encrypted and stolen with the threat of publication — became the norm for hackers, who posted information stolen from hundreds of victims worldwide, including 151 in the United States, on leak sites after their demands were not met.

That evolution, said Jen Miller-Osborn, the deputy director of threat intelligence at Unit 42, Palo Alto Networks’ research division, has rendered past guidance on defending against ransomware — like keeping strong, offline backups — insufficient.

“They’ve definitely matured in skills and are learning from past mistakes, learning from protections that’ve been recommended so they can continue to be successful,” she said. “The double extortion is a prime example that when you had good backups and you could restore, ransomware wasn’t as big an issue.”


And more and more ransomware authors are operating like software-as-a-service, in which they offer their malware to affiliates in exchange for a cut of any ill-gotten gains. “The ease of success with ransomware attacks tells us that more financially motivated operators will continue appearing on the scene,” the report reads.

While the Palo Alto report covers ransomware globally, it notes many actors continued their campaigns against state and local governments and educational organizations across the U.S. last year. Miller-Osborn said that those entities continue to make prime targets because they “typically aren’t well resourced.”

Several universities and K-12 districts either paid ransoms or had their data stolen and published last year. The University of California, San Francisco, paid more than $1 million to hackers using the NetWalker ransomware last June, while students and teachers in Fairfax County, Virginia, last fall had their personal information spilled online by actors using the Maze ransomware, which popularized the hack-and-leak tactic in late 2019.

UC San Francisco’s $1 million payoff helped raise the average ransom payment from victims in the U.S. and Canada from $115,123 in 2019 to $312,493 last year, a 171% jump, according to Palo Alto. (Overall, the consumer electronics manufacturer Garmin set a new record with a $10 million payment.) And the affiliate model makes it “really easy” for ransomware actors to keep earning, Miller-Osborn said.

“These actors are continuing to make lots and lots of money,” she said.


Enforcement improves, but new threats emerge

If there was one bright spot over the past year, it’s been an increase in the number of global law-enforcement and industry efforts to disrupt ransomware actors and the tools they use, Miller-Osborn said. Microsoft and U.S. Cyber Command last October took over TrickBot, a botnet that’s frequently used to install the Ryuk ransomware; and in January, U.S. and European law enforcement announced a takedown of Emotet, a banking Trojan that often steals credentials before a ransomware strike. Authorities that month also arrested a Canadian national in relation to the NetWalker ransomware, which Palo Alto’s research found to be the biggest perpetrator of double-extortion attacks, leaking 113 victims’ data last year.

“We’ve seen them take hits where the networks are down for a period of time,” Miller-Osborn said. “We have seen cases where the authors are arrested. That’s one thing we’re seeing improvement in.”

But organizations — especially in the public sector — need to be more pro-active in taking defensive measures. The rise of double extortion makes an endpoint detection tool a mandatory component of any security architecture, Miller-Osborn told StateScoop.

“It’s a have-to-have at this point,” she said. “The baseline has gone from effective backups and now it’s you need to have endpoint detection.”


She also recommended advanced firewalls, URL filtering and domain blocking services. The Multi-State Information Sharing and Analysis Center last year launched such a product for its state and local government members last year.

Still, ransomware actors have shown their abilities to regroup and hone their tactics, Miller-Osborn said, especially as new vulnerabilities emerge, like the recent compromise, allegedly by Chinese hackers, of the Microsoft Exchange Server email platform. Already one new form of ransomware, called DearCry, has started targeting Exchange Server users, further raising the urgency for those entities to install patches and check for intrusions.

“The patch rate has been incredibly fast based on what we’ve seen, but there are still a lot of Exchange servers that for some reason haven’t been patched yet,” she said.

This story is part of StateScoop & EdScoop’s special report on one year of the COVID-19 pandemic.

This story was featured in StateScoop Special Report: COVID-19: One Year In (2021)

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts