2021 could be the year of ransomware. Up until recently, they were known almost exclusively to cyber security experts and unfortunate victims. Today we h
ear about them almost daily in the mass media. If the trend continues, by the end of the year attacks will have increased by 300% compared to the end of 2019.

It is not strange. Ransomware attacks are particularly profitable and increasingly easier to launch thanks to the RaaS (Ransom As A Service) model. New phenomena such as double extortion make them more insidious than ever. The percentage of successful attacks is decreasing, but higher ransoms and enormous remediation costs risk bringing companies that don\’t invest enough in data security to their knees.

Table of contents:

Ransomware in 2021
Who is most affected by ransomware?
Ransomware: What is the average ransom payout in 2021?
Most common ransomware types
What changes in ransomware attacks in 2021
Biggest ransomware attacks in 2021
Ransomware attacks in Italy in 2021

The state of ransomware in 2021

Ransomwares now account for a significant percentage of cyber attacks. In the first half of 2021 alone, there were 304.7 million episodes, according to the SonicWall detection lab.

In early 2021, Sophos commissioned a survey involving 5,400 companies from 30 countries with 100-5,000 employees, concluding that:

  • 37% had been subjected to ransomware attacks in 2020. Not all of them succeeded.
  • 54% of organizations attacked had their data encrypted. Between these:
    • 32% admitted they paid to be able to decrypt the files.
    • 57% used backups for recovery, 8% managed to recover data in other ways.
    • 96% of those who paid the ransom were able to decrypt part of the data. But only 8% managed to recover everything.
  • Large public and private organizations appear to be more likely targets: 42% of those affected have 1000-5000 employees, 33% have 100-1000.
  • The average ransom for midsize companies was $ 170,000.
  • But the total costs of a ransomware attack are much higher: $ 1.85 million on average in 2020.

Back to the table of contents

Who is most affected by ransomware?

According to the Sophos 2021 report, The US is the country most affected by ransomware in the world, followed by India. In Europe, Germany, France and Italy are hit the most.

No business is safe. Some of the groups behind ransomware attacks claim to target only large organizations, while others regularly hit small and medium-sized businesses. Most of the cases involve Windows devices, but ransomwares can infect all operating systems.

The most affected sectors are education and retail, professional services and public bodies. Since 2020, cybercriminals have also particularly targeted the health sector, exploiting the crisis caused by covid-19.

Local administrations are often the target of attacks, which they rarely manage to stop: 69% manage to encrypt data. A low level of cyber security and the ability to access public funds to pay the ransom make them particularly attractive victims.

In the distribution and transportation, media and entertainment sectors, however, companies seem to be more capable of blocking malware and avoiding encryption: they succeed in 47-48% of cases.

The public and energy sectors appear to be good targets for their propensity to give in to hacker blackmail. Public bodies declared that they had paid in 42% of the cases. Perhaps not a good idea since 75-80% of those who do it are targeted again within a short time (GTIC Monthly Threat Report: August 2021).

Back to the table of contents

Ransomware: What is the average ransom payout in 2021?

Studies conducted at the beginning of 2021 tell us that the average ransomware payout is $170.000, the most common is $10.000, the highest $3.2 million. In any case, the amounts required depend on the size of the organization (Sophos).

These are indicative numbers because many organizations try to hide data breaches, deny payment of the ransom or refuse to disclose the figures. One thing is certain: ransomware payouts may vary widely, based on the size of the organization hit, the geographical area in which it is located and the type of attack.

Those conducting ransomware attacks adapt their demands to the economic capacity of the target to increase the probability of payment. The average ransom accepted by companies with fewer than 1000 employees was about half of that paid by companies with 1000-5000 employees ($108.000 versus $226.000).

For the same reason, the amounts required outside Western countries are much lower, with an average of $76.000 in India. Furthermore, the ransoms are usually smaller in the case of massive spray-and-pray infections compared to targeted stay-and-play attacks, which involve time and human resources dedicated to studying the victim.

Back to the table of contents

Most common ransomware types

At the beginning of 2021, the best-known ransomware strains were:

  • Netwalker
  • Ryuk
  • Cerber
  • SamSam
  • Maze
  • Defray777
  • WastedLocker
  • GandCrab + Revil
  • DoppelPaymer
  • Dharma
  • Phobos
  • Zeppelin

In January 2021, an international police operation succeeded in knocking out NetWalker operators, responsible for a third of all ransomware attacks in 2020, including most double extortion cases.

This summer, Avaddon and Ragnarok ransomware groups decided to retire and released all their decryption keys.

Back to the table of contents

What changes in ransomware attacks in 2021

In the first semester of 2021, the number of global ransomware attacks increased by 151% compared to the same period of the previous year, reaching the figure recorded in the whole 2020. It’s expected to grow by 300% in 2 years by the end of 2021 (GTIC\’s Monthly Threat Report August 2021).

Also, the number of active ransomware families is always growing: according to the FBI, there are 100 circulating today. The most dangerous ones seem to be Ryuk, Cerber and SamSam, says the SonicWall mid-year report. Ryuk is the most widespread, with many infections to health organizations, specially warned by the FBI and the US Department of Health.

Today, spreading ransomware is incredibly easy: on the dark web are platforms to do it with minimal expenditure of time and energy. It\’s the RaaS model, Ransom as a Service, in which almost anyone can turn into a cybercriminal by paying a fee to the software creators.

In 2021, double extortion has become frequent. Not only do the operators ask for money in exchange for the decryption key, but also take possession of the victim\’s files and threaten to make them public if the ransom is not paid within the set deadline. Recently, some companies that suffered encryption and refused to cooperate also experienced DDoS attacks, which made their sites inaccessible.

The publication of stolen files on leak sites can damage the brand and bring penalties for failing to properly guard personal and sensitive data. In 2020, the double extortion technique was used in 7% of ransomware cases and about half of them were in the US.

There’s an increase in more targeted attacks that include human hands-on-keyboard hacking. This is why ransom payout is growing by 171% according to Palo Alto Network. Ransomware remediation costs have also doubled compared to 2019.

However, there are still massive supply-chain ransomware attacks, w
hich manage to reach thousands of companies through a single digital service provider, such as Kaseya, which was hit in July with hundreds of its customers.

After macOS, Linux is now also under attack. A difficult but potentially very profitable target, given that more than 70% of the servers on the network use it. In 2021, no operating system can be considered completely secure anymore.

Find out how Babylon Cloud\’s data protection and sharing solutions can ensure business continuity and security.

Back to the table of contents

Biggest ransomware attacks in 2021

Here are some of the biggest ransomware attacks of 2021, based on the size of the company and the size of the ransom required.

In March, REvil managed to hit Acer through a Microsoft Exchange vulnerability, threatening to post stolen data on leaked sites and demanding 50 million dollars for encryption keys. It is not known whether or not they were paid by the corporation.

Kia Motors suffered the usual double extortion and a 20-million request from the DopplePaymer group. Following the attack, the web portal and other internal sites, payment systems and phone services were out of order for days.

The Colonial Pipeline was attacked in May by DarkSide, resulting in a disruption of fuel supply in the East Coast of the US for days. To recover the data, they paid a ransom of $ 4.4 million in bitcoins.

CNA Financial, one of the largest insurance companies in the US, suffered a data breach by the Phoenic Locker malware, involving the data of 75.000 people. And they admitted paying 40 million dollars to the blackmailers.

In May, DarkSide infected the computers of Brenntag, a German chemical distribution giant, encrypting 150 GB of data and asking for 7.5 million dollars, with the ransom operators threatening to publish company data on their dark-web site. The company managed to negotiate and pay only 4.4 million.

Ireland\’s Health Service Executive, a public body that manages healthcare in Ireland, also had to shut down its systems due to ransomware. There have been disruptions and probable breaches of patients\’ data for two weeks.

In June, Fuji also suffered unauthorized access to its server attributed to the REvil group.

Find out how Babylon Cloud\’s backup and sync & share solutions can ensure business continuity and security.

Back to the table of contents

Ransomware attacks in Italy in 2021

2021 saw a multiplication of cases of ransomware attacks against important organizations, also in Italy.

As privacy experts rightly point out, cryptolockers have been around for at least 7 years and have affected hundreds of thousands of Italian companies. If today the mass media talk about that so much, it’s because the number of targeted attacks against large companies and public bodies is increasing.

However, it was only with the attack to the Lazio Region website that ransomwares became known to the general public. This time, with online services made inaccessible, the damage caused by the malware was impossible to hide. The booking of vaccines, for example, was blocked for 6 days. The malware wasn\’t more sophisticated or powerful than others. Security systems were missing or inadequate.

In 2021, in Italy, Erg, reached through its supplier Engineering, and Salini were also the victim of data encryption and ransom demand by the Lockbit group. Among TelCos, Tiscali and Ho.Mobile, both at the beginning of the year. In August also ARS, the regional health company of Tuscany.

Back to the table of contents


The State of Ransomware 2021, Sophos
Unit 42 Ransomware Threat Report 2021, Palo Alto Networks
GTIC Monthly Threat Report August 2021
Mid-year update of SonicWall Cyber Threat Report
The State of Ransomware in 2021, BlackFog

Back to the table of contents