Average Ransom Demanded by Ransomware Operators Hits $247,000

A new report from Group-IB specialists reveals interesting details about ransomware operator attacks. In particular, analysts have identified the most aggressive ransomware families and shed light on the demands of cybercriminals.

The most active groups in 2021 were the operators of LockBit, Conti, and Pysa—these malware strains most frequently targeted organizations during the year. The average ransom demanded by attackers reached $247,000.

The report also notes that Group-IB’s Digital Forensics Lab responded to four times more ransomware incidents in the first quarter of 2022 compared to the same period the previous year.

Main Targets of Ransomware Attacks

Ransomware primarily targeted organizations located in North America, Europe, Latin America, and the Asia-Pacific region. The record for the highest ransom demand was set by the Hive operators, who demanded $240 million from MediaMarkt.

In 2021, there was also a significant increase in attacks on Russian companies, with the number of incidents rising by more than 200%. The most active ransomware strains in Russia were Dharma, Crylock, and Thanos.

The group behind the OldGremlin ransomware stood out by demanding 250 million rubles from one of its victims, setting a record for Russia. Group-IB also noted that cybercriminals in Russia tend to target large businesses with more than 5,000 employees.