Nearly 50% of organizations hit by ransomware are US-based

Edward G. | May 05, 2021

Data presented by the Atlas VPN team shows that 45% of organizations hit by ransomware in 2020 are based in the US.

Organizations all over the world are being kept hostage by ransomware, and many are being forced to pay criminals because the expense of downtime and loss of reputation if the consumer data goes public outweighs the ransom.

Researchers from Palo Alto Networks analyzed data that was gathered by two of their branches — global threat intelligence team (Unit 42) and incident response team (The Crypsis Group). 

They also collected data from publicly available websites as well as those on the dark web from January 2020 to January 2021. The dataset included 337 victims from 56 different industries in five regions and 39 countries.

Surprisingly, out of 337 ransomware victims last year, 151 (45%) were operating in the US. 

US organizations are much more profitable for hackers. They reach a wider market than most other countries, which often means that they have more resources. Moreover, having more employees, contractors and using more services creates a broader attack surface for hackers to exploit.  

On a similar note, 39 (12%) of businesses in Canada got trapped by ransomware and were forced to pay up. Third on the list is Germany, where 26 (8%) organizations suffered from a ransomware attack. 

Fourth is the United Kingdom, and fifth is France, where 17 (5%) and 16 (5%) businesses respectively have been a victim of a ransomware attack. 

Cybercriminals expect larger payouts when the information stolen is extremely sensitive. For example, instead of stealing user email addresses, hackers prefer to target financial details, personal information like social security numbers (SSNs), and police reports.

Ransomware is a lucrative market. The average ransom paid by organizations in the United States, Canada, and Europe rose by 171% from $115,123 in 2019 to $312,493 in 2020.

It is worth noting the fact that more companies proceed with the ransom because they have cyber insurance, which covers ransomware payments.

Double extortion on the rise

Several ransomware families have demonstrated their ability to exfiltrate data and use double extortion tactics, including NetWalker, RagnarLocker, DoppelPaymer, and several others. 

Instead of only encrypting data on the victim's computer, hackers also export files to their own computers in order to further compel the victim to pay the ransom. In case the ransom is not paid, criminals threaten to publish the data on leak sites and forums that are operating on the dark web. 

By far the most effective ransomware family is NetWalker, which was used in 33% of attacks last year.  

Interestingly, the FBI has already taken the matter into their own hands and took down the site on the dark web that was providing NetWalker ransomware for sale as a service. 

There, developers were responsible for creating and updating the ransomware and making it available to affiliates. Affiliates were responsible for identifying and attacking high-value victims with the ransomware. After the victim organization pays the ransom, developers and affiliates split the payment.

During the FBI’s investigation, a Canadian national - Sébastien Vchon-Desjardins of Gatineau was charged in the Middle District of Florida. He is alleged to have obtained over $27.6 million as a result of the offenses charged in the indictment. 

It does not mean that NetWalker ransomware is gone for good, it simply means that one of the main sources that provided NetWalker ransomware as a service was taken down.

Moving forward, RagnarLocker was used in 26 attacks and DoppelPaymer in 25, both of them being double extortion ransomware families. 

NeFilm (24), DarkSide (24), Revil (23), Avaddon (23), and Clop (22) are five other malicious software types that criminals chose quite often in 2020. 

In short, the findings reveal that US companies are targeted the most, criminals tend to use double extortion as the means of attack, and the average ransom payment sky-rocketed by 171% in 2020.

In 2021, Atlas VPN found that India, Austria, and US organizations are the most common targets of ransomware.

Edward G.

Edward G.

Cybersecurity Researcher and Publisher at Atlas VPN. My mission is to scan the ever-evolving cybercrime landscape to inform the public about the latest threats.



© 2023 Atlas VPN. All rights reserved.