The average ransomware payment has risen 71% this year and is close to reaching $1 million, experts have said.
In ransomware cases that have been assisted by incident responders at cyber security company Unit 42 of Palo Alto Networks, the average ransom paid was $925,162 in the first five months of 2022.
This represents a steep and “startling” rise from figures of previous years when average ransom payments were $541,009 and $303,756 in 2021 and 2020 respectively, said Ryan Olson, vice president of threat intelligence at Unit 42 in a blog post.
As recently as 2016, the company’s incident responders were seeing payments of just $500, and the rise of double extortion models has placed added pressure on organisations to pay ransom demands.
Double extortion ransomware has become a popular operational model in recent years as companies are increasingly vigilant to ransomware attacks and are keeping better backups to avoid having to pay ransom demands.
The model sees attackers infecting a corporate network with ransomware, locking users out of machines as usual, but exfiltrates sensitive data before the infection chain begins, threatening to leak the data if the ransom isn’t paid.
This places additional pressure on companies to maintain their reputation with customers and from a regulatory perspective for companies bound by stringent data protection laws like GDPR.
“Details of about seven new victims on average are posted each day on the dark web leak sites that ransomware gangs use to coerce victims into paying ransoms,” said Olson. “The rate of double extortion we’ve observed translates into one new victim every three to four hours.
“The cyber extortion crisis continues because cybercriminals have been relentless in their introduction of increasingly sophisticated attack tools, extortion techniques and marketing campaigns that have fueled this unprecedented, global digital crime spree,” he added. “Their ransomware-as-a-service (RaaS) business model has at the same time lowered the technical bar for entry by making these powerful tools accessible to wannabe cyber extortionists with easy-to-use interfaces and online support.”
Unit 42 has observed two instances of multi-million-dollar ransoms being paid this year, driven by the success of the Quantum Locker and LockBit 2.0 ransomware operations.
RELATED RESOURCE
The Total Economic Impact™ of Mimecast
Cost savings and business benefits enabled by using Mimecast with Microsoft 365
FREE DOWNLOAD
Companies that could be put out of business if they don’t pay the ransom will continue to be targeted, the researcher said, and it’s in these cases where the huge ransom demands will again be issued.
Olson cited Costa Rica as an example of how devastating ransomware can still be in 2022, five years on from WannaCry and six years after the average ransom demand was in the region of $500 - a pittance in today’s threat landscape.
The country has declared a state of emergency after it sustained an attack from the Conti ransomware and has since had a second ransomware gang targeting the country, this time focusing on its health service.
According to a separate report from Digital Shadows, the first quarter of 2022 saw a 25% decrease in ransomware activity compared to the previous quarter.
The company said the decrease in activity could be a result of a less prominent threat of the larger, more organised ransomware groups that have shuttered in recent months, such as REvil and BlackMatter.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
