8 WHAT IS NEXT? No that 2020 is behind us (and hopefull the Corona irus it brought along ith it will soon be too), it is time to look forward and try to assess how (and if) the “double e tortion” trend ill aâfect the c ber threat landscape in 2021. While it is diãfcult to predict how the future will unfold, especially as cybercriminals are constantly upgrading their TTPs, we estimate that the “double extortion” tactic employed by ransom are gangs is here to sta , as it pro ed to be quite aâfecti e, seeing the gro ing ransom are pa outs obser ed in the åfrst three quarters of 2020. However, it seems that the steady increase in ransom payouts observed throughput most of 2020 came to a halt in the last quarter of 2020. In Februar 2021, it as reported that the a erage ransom pa ment in Q4 2020 as $154,108, hich is a decline of 34% compared to Q3 2020, hen the a erage ransom pa ment as $233,817 57 . Researchers estimate that fewer victims are willing to pay the ransom and that the decline in ransom payments stems from the refuse of more and more victims to give in to the attackers demands. However, it is too early to determine if this points to a ne trend, and e should probabl ait for data on Q1 2021 to determine this. Nonetheless, this may encourage ransomware gangs to improve and come up with new, innovative extortion tactics to apply extra pressure on victims to pay and keep their business lucrative. A case in point are the reports that emerged to ards the end of 2020 and again in Januar 2021, claiming that ransom are gangs, such as SunCr pt, RagnarLocker and Avaddon, have started launching Distributed Denial of Service (DDoS) attacks against the websites or networks of their victims until they “surrender” and negotiate with the attackers on the ransom payment 58 . While it is still early to determine if the use of DDoS will become as trendy among ransomware gangs as the “double extortion” tactic, this demonstrates the creativity of ransomware operators, and it should come as no surprise if they would continue to develop their extortion tactics to additional directions in the course of 2021. It is also possible that more cybercriminals will completely skip the ransomware deplo ment and encr ption stages and mo e straight to data e åfltration (as as observed in the case of the Iranian Pay2Key ransomware), and instead of demanding ransom for decr pting the åfles hile also threatening to leak their data as an e tra layer of leverage, they will only demand a payment in exchange for not publicly leaking ictims’ data (or for not selling it to the highest bidder). In this report, we highlighted some aspects in which ransomware gangs are becoming more like advanced, sophisticated state-sponsored actors. One of them is the more targeted nature of their attacks, both in terms of geography and sectors. Another is the targeting of ICS networks by ransomware gangs, which up until recently were mostly targeted by nation-sponsored actors. It is possible that more ransomware https:// . dnet.com/article/ransom are-pa ments-are-going-do n-as-more- ictims-decide-not-to-pa -up/ https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/ 57. 58. 32 | The Ransomware Landscape