Ransomware Payments Explode – So-Called ‘Quadruple Extortion!’

Ransomware Payments Explode – So-Called ‘Quadruple Extortion!’

2 reports put hard figures onto what’s already crystal clear: Ransomware attacks have ‘skyrocketed’, & ransomware payments are the trails that have followed them upwards.

Unit 42 puts the average pay-out at over half a million, while Barracuda has tracked a 64% year over year spike in the number of attacks.

Multitude of Attacks

The average ransomware payment grew 82% year over year: It’s now over half a million dollars, according to the 1st-half 2021 update report put out by Palo Alto Networks’ Unit 42.

As far as the sheer multitude of attacks goes, Barracuda researchers on Thurs. reported that they’ve identified & analysed 121 ransomware incidents so far in 2021, a 64% increase in attacks, year-on-year.

What’s helped to increase extortion payments is the fact that cyber-criminals have been putting money into “highly profitable ransomware operations,” Unit 42 researchers wrote, including a new, disturbing trend: The rise of “quadruple extortion.”


Double extortion has been around for over a year: That’s when threat players not only paralyse a victim’s systems and/or data but also threaten to leak compromised data or use it in future spam attacks if victims refuse to pay extortion demands.

During the 1st half of 202, however, Unit 42 researchers observed ransomware groups commonly using as many as 4 techniques to turn the thumbscrews on victims, adding denial-of-service (DoS) attacks & harassment of a victim’s connections to the pain:

  1. Encryption: Victims pay to regain access to scrambled data & compromised computer systems that stop working because key files are encrypted.
  2. Data Theft: Hackers release sensitive information if a ransom is not paid.
  3. DoS: Ransomware gangs launch DoS attacks that shut down a victim’s public websites.
  4. Harassment: Cyber-criminals contact customers, business partners, employees & media to tell them the organisation was hacked.

Increasingly Aggressive

These “increasingly aggressive” tactics have fattened ransoms that were already increasingly engorged. Unit 42 reported last year that the average payment last year had surged 171%, to more than $312k. During the 1st half of this year, that shot up to a record $570k.

“While it’s rare for 1 organisation to be the victim of all 4 techniques, this year we have increasingly seen ransomware gangs engage in additional approaches when victims don’t pay up after encryption & data theft,” Unit 42 reported.

“Among the dozens of cases that Unit 42 consultants reviewed in the 1st half of 2021, the average ransom demand was $5.3m. That’s up 518% from the 2020 average of $847k,” researchers observed.

Single Victim

More statistics include the highest ransom demand of a single victim spotted by Unit 42, which rose to $50m in the 1st half of 2021, up from $30m last year. As yet this year, the largest payment confirmed by Unit 42 was the $11m that JBS SA disclosed after a massive attack in June. Last year, the largest payment Unit 42 observed was $10m.

Barracuda has also tracked a spike in ransom demands: In the attacks that it’s observed, the average ransom ask per incident was more than $10m, with only 18% of the incidents involving a ransom demand of less. Also, 30% of the incidents had greater than $30m ransom asks.

Extortion Demands

Also, Barracuda traced the cause of raised extortion demands to the wider adoption of cryptocurrency. It commented that this increased prevalence of crypto-currency has led to “a correlation of increased ransomware attacks & higher ransom amounts.

With increased crackdown on bitcoin successful tracing of transactions, criminals are starting to provide alternative payments methods, such as the REvil ransomware gang asking for Monero instead of Bitcoin.”

A Pricey Decryptor Key

Unit 42 researchers also referred to a new tactic that REvil use: After attacking Kaseya & its customers, REvil operators offered to sell a universal decryption key that would unlock all organizations affected by the attack, for $70m – an asking price it quickly dropped to $50m.

That would have helped a lot of Kaseya’s customers, many of which were managed service providers (MSPs) that use the company’s VSA product. At least 60 customers in 22 countries were hit in the spate of worldwide cyber-attacks on July 2. Eventually, Kaseya did get its hands on a decryptor.

UPDATE: This original story misstated the facts around Kaseya’s possible payment for a decryptor. In fact, Kaseya published a statement on July 26 on its VSA updates page, emphatically saying that it did not pay for the key: “Kaseya did not pay a ransom – either directly or indirectly through a 3rd party – to obtain the decryptor.”

(A purported master key was leaked online earlier this week, but researchers stated that the decryptor is of little use to other companies hit in the attacks, which were unleashed before the notorious ransomware group went dark.)

Barter Hard

The drop in asking price for REvil’s decryptor is mirrored by other instances of shrinking ransom demands. Barracuda pointed out several instances of ransomware gangs responding to negotiation tactics, including:

“The initial ransom ask may not be the final ask, so if they’re planning to pay, it is important for ransomware victims to exercise negotiation options,” according to Barracuda’s Fleming Shi. “The outcome can be savings in the millions.”

Who’s Getting Chosen

In his Thur. post, Shi observed that the ransomware thugs are picking on victims of all sizes. “The grim outlook for the future of ransomware leaves no one spared from financial damage or brand-crushing headlines,”

Shi wrote. “Ransomware criminals are penetrating the foundation of our digital economy, from trusted software vendors to IT service providers.”

While ransomware gangs are still “heavily targeting” municipalities, healthcare & education, attacks on other businesses are “surging,” the researcher commented.

120 Incidents

“Attacks on corporations, such as infrastructure, travel, financial services, & other businesses, made up 57% of all ransomware attacks between Aug. 2020 & July 2021, up from just 18% in our 2020 study. Infrastructure-related businesses account for 10% of all the attacks we studied.”

After analysing more than 120 incidents from Aug. 2020 until July 2021, Barracuda’s research team found that ransomware attacks increased 64% year over year, & that REvil & Dark Side were responsible for 27% of those attacks.

Multiplier Effect

A multiplier effect occurs, given that ransomware attacks are “quickly evolving to software supply-chain attacks, which reach more businesses in a single attempt,” Shi explained, with Kaseya being just 1 case. Others are the airline industry & the JBS Foods attacks, the latter of which led to the meat supplier being forced to shut down operations in the US & Australia.

While the US is still in attackers’ sights, Barracuda found that ransomware attacks are proliferating across the globe. “Just under half of the attacks in the past 12 months hit US organisations (44%). By comparison, 30% of the incidents happened in EMEA, 11% were in Asia Pacific countries, 10% were in South America, & 8% were in Canada & Mexico,” Shi stated.

Largest Ransoms

Unit 42 predicted that ransom demands will continue to spiral upwards, but that some gangs will continue to focus on smaller businesses that can’t afford to invest heavily in cyber-security defences.

“So far this year, we have observed groups, including Net Walker, Sun Crypt & Lock Bit, demanding & taking in payments ranging from $10k to $50k,” researchers noted. “While they may seem small compared to the largest ransoms we observed, payments that size can have a debilitating impact on a small organisation.”


Unit 42 also expected to see more targeting of hypervisors, given that can lead to corruption of multiple virtual instances running on a single server.

One example was seen last month, when researchers observed a Linux Variant of REvil ransomware targeting VMware’s ESXi virtual machine management software & network attached storage (NAS) devices that run on the Linux operating system (OS).