* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Ransomware Trends: Higher...

# Ransomware Trends: Higher Ransom Demands, More Extortion Tactics

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2022%2F03%2Fransomware-trends-demands-dark-web-leak-sites%2F)  
[](https://twitter.com/share?text=Ransomware+Trends%3A+Higher+Ransom+Demands%2C+More+Extortion+Tactics&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2022%2F03%2Fransomware-trends-demands-dark-web-leak-sites%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2022%2F03%2Fransomware-trends-demands-dark-web-leak-sites%2F&title=Ransomware+Trends%3A+Higher+Ransom+Demands%2C+More+Extortion+Tactics&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2022/03/ransomware-trends-demands-dark-web-leak-sites/&ts=markdown)  
\[\](mailto:?subject=Ransomware Trends: Higher Ransom Demands, More Extortion Tactics)  
Link copied  
By [Ryan Olson](https://www.paloaltonetworks.com/blog/author/ryan-olson/?ts=markdown "Posts by Ryan Olson")  
Mar 24, 2022  
4 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[extortion](https://www.paloaltonetworks.com/blog/tag/extortion/?ts=markdown)  
[RaaS](https://www.paloaltonetworks.com/blog/tag/raas/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)  
[ransomware threat report](https://www.paloaltonetworks.com/blog/tag/ransomware-threat-report/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/2022/04/ransomware-trends-demands-dark-web-leak-sites/?lang=ja "Switch to Japanese(日本語)")

Today, as we publish our [2022 Unit 42 Ransomware Threat Report](https://start.paloaltonetworks.com/2022-unit-42-ransomware-threat-report), we're once again reporting that payments hit new records as cybercriminals increasingly turned to dark web "leak sites" where they pressured victims to pay up by threatening to release sensitive data.

A year ago, Unit 42 [released its 2021 Unit 42 Ransomware Threat Report](https://unit42.paloaltonetworks.com/ransomware-threat-report-highlights/), which documented how cybercriminals had used the windfall profits generated from cyber extortion to transform themselves into massive criminal enterprises, some with near-nation state cyber capabilities. We [warned](https://www.paloaltonetworks.com/blog/2021/03/ransomware-threat/) that cyber extortion had reached crisis levels due to the wild success of a criminal business model known as [ransomware as a service (RaaS)](https://www.paloaltonetworks.com/blog/2021/10/ransomware-as-a-service/).

## Ransomware Groups and Trends in Demands and Payments

The average ransom demand in cases worked by Palo Alto Networks Unit 42 security consultants rose 144% in 2021 to $2.2 million, while the average payment climbed 78% to $541,010.
![Average ransom demand in 2020: $906,324.23; Average ransom demand in 2021: $2,213,449.74; Average ransom payment in 2020: $303,756.59; Average ransom payment in 2021: $541,009.56](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image.jpeg)
Figure 1. Average ransom demands compared to average ransom payments in 2020 and 2021, according to Unit 42 incident response data.

The Conti ransomware group was responsible for the most activity, accounting for more than 1 in 5 cases worked by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, was No. 2 at 7.1%, followed by Hello Kitty and Phobos (4.8% each).
![Top 14 most active ransomware variants in Unit 42 incident response data in 2021 (in order from most to least): Conti, REvil/Sodinokibi, Hello Kitty, Phobos, Suncrypt, Avaddon, BlackMatter, Cring, Lockbit, Lockbit 2.0, Hive, MedusaLocker, pysa, Robinhood. (Most active ransomware groups on dark web leak sites are a different list and are included in the full 2022 Unit 42 Ransomware Threat Report).](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-1.jpeg)
Figure 2. Top 14 most active ransomware variants in 2021 -- according to Unit 42 incident response data.

## Dark Web Leak Sites and DDoS -- Double and Multi-Extortion

For years, the main threat from ransomware has been that it would encrypt data on computers, making it impossible for organizations to use them to manage operations and retrieve critical information. That approach continued last year in some high-profile attacks that interfered with everyday activities that people all over the world take for granted -- everything from buying groceries and purchasing gasoline for our cars to calling for emergency services and obtaining medical care.

But threat actors have evolved their techniques in recent years to include additional ways to coerce their victims into paying ransoms.

For example, in addition to holding data and access hostage, some ransomware groups engage in double extortion by using dark web leak sites to threaten to release sensitive information to the public. Some groups engage in further pressure tactics -- they harass customers, bring down external websites or cause other harm.

That trend, known as multi-extortion, surged in 2021. The number of victims whose data was posted on those leak sites rose 85% in 2021 to 2,566 organizations, according to Unit 42's analysis. 60% of leak site victims were in the Americas, followed by 31% for Europe, the Middle East and Africa, and then 9% in the Asia Pacific region. The most affected industries were Professional and Legal Services, Construction, Wholesale and Retail, Healthcare, and Manufacturing.

## The 2022 Unit 42 Ransomware Threat Report

Our report also [documents other key trends](https://unit42.paloaltonetworks.com/2022-ransomware-threat-report-highlights). It explains how RaaS groups are increasingly leveraging zero-day vulnerabilities to launch attacks, plus making their encryption malware faster and more difficult to defeat. It also describes how they're using slick marketing campaigns to recruit affiliates and increasingly offering technical support to help victims get back online after they pay their ransoms.

Finally, the report outlines a series of best practices that organizations can use to address the threat of ransomware -- whether preparing for a possible ransomware attack or facing the impact of an attack that's already underway.

Download the full [2022 Unit 42 Ransomware Threat Report](https://start.paloaltonetworks.com/2022-unit-42-ransomware-threat-report) to learn more, and register to attend the [2022 Unit 42 Ransomware Threat Report Webinar](https://register.paloaltonetworks.com/2022unit42ransomwarethreatreportwebinar) live to hear our security experts discuss the key findings in the report.

## Get in Touch

**Want to be prepared for a ransomware attack? Call in the experts.**

If you think you may have been impacted by a ransomware attack, please [contact Unit 42](https://start.paloaltonetworks.com/contact-unit42.html) to connect with a team member. If you have cyber insurance, you can request Unit 42 by name. The Unit 42 Incident Response team is available 24/7/365. You can also take preventative steps by requesting a [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/ransomware-readiness-assessment).

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Extortion Payments Hit New Records as Ransomware Crisis Intensifies](https://www2.paloaltonetworks.com/blog/2021/08/ransomware-crisis/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Healthcare Organizations Are the Top Target for Ransomware Attackers](https://www2.paloaltonetworks.com/blog/2021/08/healthcare-organizations-are-the-top-target/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### The Ransomware Threat: Bigger, Greedier, Attacking the Most Vulnerable](https://www2.paloaltonetworks.com/blog/2021/03/ransomware-threat/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### More on the PAN-OS CVE-2024-3400](https://www2.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Learning From the Past --- Ten 2022 Cybersecurity Events to Know](https://www2.paloaltonetworks.com/blog/2022/12/unit42-cybersecurity-events-2022/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Today's Cyberthreats: Ransomware, BEC Continue to Disrupt](https://www2.paloaltonetworks.com/blog/2022/07/cyberthreats-incident-response-report/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language