The highest ransom paid by an organization to a cybercriminal gang doubled from $5 million in 2019 to $10 million in 2020, while the average ransom paid skyrocketed 171%, according to Palo Alto Networks’ Unit 42.

Unit 42 is the security vendor’s threat intelligence team, and its new Ransomware Threat Report, released today, shows a startling global surge in ransomware demands and payments last year. The average ransom paid by organizations increased from $115,123 in 2019 to $312,493 in 2020. And this appears to have emboldened criminals to demand higher ransoms. From 2015 to 2019, the highest ransomware demand held steady at $15 million. In 2020, however, the highest ransomware demand grew to $30 million.

“Attackers are increasingly recognizing how much money that they can make, and there’s relative little barriers to entry,” Jen Miller-Osborn, Palo Alto Networks/Unit 42. “You can get rich by never leaving your house, if this is the kind of thing you feel comfortable doing. Criminals are recognizing that this is a really easy way to potentially make a lot of money, so they’re targeting more organizations and evolving their tactics, and right now ransomware doesn’t really have a lot of negative consequences.”

Unit 42 collaborated with Crypsis, a consulting and incident response firm, for the ransomware report. Unit 42 analyzed 252 ransomware leak site data available on the dark web, public websites, and global threat data available via internal and external sources. It found 337 victims across 56 industries in 39 countries. Meanwhile, Crypsis provided breach response data for the U.S., Canada, and Europe.

NetWalker ransomware operators led the list of leak sites that were still live in January, with 33%, compared to all the other ransomware gangs that each accounted for 7% or less. It’s worth noting that a coordinated international law enforcement action took down the NetWalker group on Jan. 27, seizing about $500,000 and disabling its dark web domain.

The report also used Palo Alto Networks’ AutoFocus threat intelligence service, which analyzed 19,568 network sessions and discovered 164 unique malware samples.

Threat researchers found ransomware attackers across the board exploited COVID-19, with the health care sector remaining a top target. Ryuk ransomware, in particular, focused heavily on hospital systems that were overwhelmed by the pandemic. “The focus on healthcare, especially by the Ryuk ransomware family, really stood out to me because choosing health care is just an extra level of bad in my opinion.”

In addition to health care, Ryuk hit multiple industries with initial ransomware requests ranging from $600,000 to $10 million.

“One of the things that I expect to see, although I really hope doesn’t happen, is some ransomware families taking advantage of the Microsoft Exchange vulnerabilities that were recently disclosed,” Miller-Osborn said. “And, in general, I think that’s something we’ll just start to see ransomware move toward: adding vulnerabilities to how they compromise networks to spread their malware.”

Unit 42 also expects to see trends like double-extortion ransomware and ransomware-as-a-service continue well into 2021.

Double-extortion ransomware attacks weren’t widely used until 2020. In these attacks, hackers first extract large amounts of sensitive data prior to encrypting a victim’s databases. They then threaten to publish that data unless the victim pays ransom demands, thus putting extra pressure on organizations to pay up.

Additionally, ransomware-as-a-service is another disturbing trend that picked up steam in 2020. This makes the deployment of ransomware easily accessible to millions of would-be cybercriminals that previously didn’t have the tools.

“Unfortunately, that’s one of the areas I think we’ll see more attackers moving into,” Miller-Osborn said. “When there’s no technical barriers to entry, it’s just easy money at that point.”

Defending against ransomware requires a similar security strategy to protecting against other malware. This includes user awareness and employee training on email security and how to recognize phishing emails. Additionally, remote desktop services should be properly configured and use the principle of least privilege to ensure that attackers can’t access corporate networks and data.

According to Unit 42, the most effective forms of protection from ransomware are endpoint security, URL filtering or web protection, advanced threat prevention, and anti-phishing services deployed to all enterprise environments and devices.

“One of the keys with detecting ransomware or malicious behavior on an endpoint, is that you can both prevent the ransomware from being able to be executed, but you can also prevent it from being used to find things,” Miller-Osborn said, explaining that once an attacker lands within an organization’s IT environment, it will look around for data to exfiltrate. “That’s malicious behavior that should be detectable and flagged if not outright blocked.”

But in addition to organizations taking steps to shore up their own security postures, stopping ransomware will require a larger, coordinated effort between international law enforcement and the private center, she added. We’re starting to see these types of public-private partnerships and efforts “to share the data we have on these attacks so we can go after people and get them arrested, maybe impose financial sanctions on an entity if we can’t arrest specific individuals,” Miller-Olson said. “So that there are consequences, and we will prosecute you if you’re going to do these sorts of things.”