8 WHAT IS NEXT? Now that 2020 is behind us (and hopefully the Coronavirus it brought along with it will soon be too), it is time to look forward and try to assess how (and if) the “double extortion” trend will affect the cyber threat landscape in 2021. While it is difficult to predict how the future will unfold, especially as cybercriminals are constantly upgrading their TTPs, we estimate that the “double extortion” tactic employed by ransomware gangs is here to stay, as it proved to be quite affective, seeing the growing ransomware payouts observed in the first three quarters of 2020. However, it seems that the steady increase in ransom payouts observed throughput most of 2020 came to a halt in the last quarter of 2020. In February 2021, it was reported that the average ransom payment in Q4 2020 was $154,108, which is adecline of 34% compared to Q3 2020, when the average ransom payment was $233,817 57 . Researchers estimate that fewer victims are willing to pay the ransom and that the decline in ransom payments stems from the refuse of more and more victims to give in to the attackers demands. However, it is too early to determine if this points to a new trend, and we should probably wait for data on Q1 2021 to determine this. Nonetheless, this may encourage ransomware gangs to improve and come up with new, innovative extortion tactics to apply extra pressure on victims to pay and keep their business lucrative. A case in point are the reports that emerged towards the end of 2020 and again in January 2021, claiming that ransomware gangs, such as SunCrypt, RagnarLocker and Avaddon, have started launching Distributed Denial of Service (DDoS) attacks against the websites or networks of their victims until they “surrender” and negotiate with the attackers on the ransom payment 58 . While it is still early to determine if the use of DDoS will become as trendy among ransomware gangs as the “double extortion” tactic, this demonstrates the creativity of ransomware operators, and it should come as no surprise if they would continue to develop their extortion tactics to additional directions in the course of 2021. It is also possible that more cybercriminals will completely skip the ransomware deployment and encryption stages and move straight to data exfiltration (as was observed in the case of the Iranian Pay2Key ransomware), and instead of demanding ransom for decrypting the files while also threatening to leak their data as an extra layer of leverage, they will only demand a payment in exchange for not publicly leaking victims’ data (or for not selling it to the highest bidder). In this report, we highlighted some aspects in which ransomware gangs are becoming more like advanced, sophisticated state-sponsored actors. One of them is the more targeted nature of their attacks, both in terms of geography and sectors. Another is the targeting of ICS networks by ransomware gangs, which up until recently were mostly targeted by nation-sponsored actors. It is possible that more ransomware https://www.zdnet.com/article/ransomware-payments-are-going-down-as-more-victims-decide-not-to-pay-up/ https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/ 57. 58. 32 | The Ransomware Landscape