Best practices for reporting ransomware attacks Enterprise ransomware prevention measures to enact in 2021

Ransomware trends, statistics and facts in 2022

Supply chain attacks, double extortion and RaaS were just a few of the ransomware trends that plagued 2021 and continue into 2022.

2021 was a breakout year for ransomware as the cybersecurity attack vector wreaked havoc on individuals and organizations around the world. It's a trend that will continue in 2022 and beyond.

While ransomware is not a new cybersecurity risk, it is a threat that received attention at the highest levels of government. Ransomware affected people's ability to get healthcare, put gas in their vehicles and buy groceries.

The financial effects of ransomware also became particularly pronounced in 2021. Attacks hit supply chains, causing more widespread damage than an attack against a single individual. There has also been an increased response from government and technology vendors to help stem the tide of ransomware attacks.

Ransomware trends in 2021 and 2022

A few key ransomware trends emerged over the course of 2021 and will likely continue into 2022. Attackers realized that certain techniques yield better results and focused on those approaches. Here were some of the primary trends for ransomware in 2021:

  • Supply chain attacks. Instead of attacking a single victim, supply chain attacks extended the blast radius. A prime example of a 2021 ransomware attack is the Kaseya attack, which affected at least 1,500 of its managed service provider customers.
  • Double extortion. In the past, ransomware was about attackers encrypting information found on a system and then demanding a ransom in exchange for a decryption key. With double extortion, attackers also exfiltrate the data to a separate location. There, it can be used for other purposes, including leaking the information to a public website if a payment is not received.

    Learn more about double extortion attacks and how to stop them.
  • Ransomware as a service (RaaS). Gone are the days when every attacker had to write their own ransomware code and run a unique set of activities. RaaS is a pay-for-use malware. It enables attackers to use a platform that provides the necessary ransomware code and operational infrastructure to launch and maintain a ransomware campaign.
  • Attacking unpatched systems. This was not a new trend for 2021, but it is one that continues to be an issue year after year. While there are ransomware attacks that do make use of novel zero-day vulnerabilities, most continue to abuse known vulnerabilities on unpatched systems.
  • Phishing. While ransomware attacks can infect organizations in different ways, in 2021, some form of phishing email was more often than not a root cause.
Ransomware trends of 2021 graphic
Here are some ransomware trends for 2021.

Ransomware statistics for 2021 and 2022

The statistics listed below provide insight into the breadth and growing scale of ransomware threats:

  • Ransomware is part of 10% of all breaches. It doubled in frequency in 2021, according to the 2021 "Verizon Data Breach Investigations Report."
  • Approximately 37% of global organizations said they were the victim of some form of ransomware attack in 2021, according to IDC's "2021 Ransomware Study."
  • The FBI's Internet Crime Complaint Center reported 2,084 ransomware complaints from January to July 31, 2021. This represents a 62% year-over-year increase.
  • The Cybersecurity and Infrastructure Security Agency reported in February 2022 that it is aware of ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors.
  • Since 2020, there have been more than 130 different ransomware strains detected, according to VirusTotal's "Ransomware in a Global Context" report:
    • The GandCrab ransomware family was the most prevalent at 78.5% of all samples it received, according to VirusTotal.
    • Ninety-five percent of all the ransomware samples are Windows-based executable files -- or dynamic link libraries -- according to VirusTotal.

Ransomware statistics by industry

Ransomware can hit any individual or industry, and all verticals are at risk. That said, ransomware attacks have affected some verticals more than others in 2021 and will continue to be an issue for years to come. Here are the top 10 ransomware targets by industry, according to cybersecurity firm Sophos:

  1. education
  2. retail
  3. business, professional and legal services
  4. central government
  5. IT
  6. manufacturing
  7. energy and utilities infrastructure
  8. healthcare
  9. local government
  10. financial services

Costs of ransomware attacks and payment trends

The costs attributed to ransomware incidents vary significantly depending on the reporting source. Different points of view from both the private and public sector provide some visibility into the cost and payment trends for ransomware attacks:

  • Ninety percent of ransomware incidents did not result in any loss, according to the 2021 Verizon report. While not every ransomware victim pays a ransom or incurs a cost, some do:
    • In 95% of the cases where there were ransomware-related costs, the median loss was $11,150, according to Verizon. However, losses ranged from a low of $70 to a high of $1.2 million.
  • Twelve percent of victims paid out on ransomware attacks in the third quarter of 2021, according to the Corvus Risk Insights Index. The 2021 figure is a decrease from the 44% of victims that paid ransomware demands in the third quarter of 2020.
  • In first six months of 2021, there was $590 million in ransomware-related activity, according to the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN). For all of 2020, FinCEN only reported $416 million in ransomware-related costs.

Recent ransomware attacks

There have been many ransomware attacks in recent years that affected organizations and their customers. But, in 2021, supply chain attacks affected more than just the individual organizations that were breached. Here are some notable ransomware attacks that happened in 2021 and early 2022:

  • Acer. In March 2021, global IT hardware vendor Acer was the victim of a ransomware attack executed by the REvil ransomware group.
  • CNA Financial. In March 2021, cyber insurance carrier CNA Financial disclosed that it was the victim of a cyber attack. The attack was allegedly executed by a group known as Phoenix.
  • Colonial Pipeline. In May 2021, Colonial Pipeline was the victim of a ransomware attack that affected the flow of oil across the eastern U.S.
  • JBS USA. In June 2021, meat processing vendor JBS USA was hit by a ransomware attack that reduced the company's ability to package meat products. The company is reported to have paid $11 million in ransom to criminals that were using the REvil ransomware.
  • Kaseya. In July 2021, remote management software vendor Kaseya was the victim of a supply chain ransomware attack. The attack was allegedly perpetrated by criminals using the REvil ransomware platform.
  • Sinclair Broadcast Group. In October 2021, Sinclair Broadcast Group was the victim of a ransomware attack that crippled the network's broadcast operations.
  • Public services. Schools, health services and local U.S. municipal governments were hit by ransomware attacks in early 2022, including Pembroke Pines, Fla., on Jan. 13, 2022; Linn County, Ore., on Jan. 24, 2022; and New Bedford, Mass., on Jan. 27, 2022.

Ransomware predictions

Ransomware didn't start recently, and it won't end anytime soon either. Ransomware will likely continue to evolve in a few different ways. Here are some predictions on the direction that ransomware will take in the years ahead:

  • Governments will be more involved. Gartner predicted that nation-states are likely to enact legislation about ransomware payments. In 2021, Gartner estimated that only 1% of global governments have rules around ransomware, with a forecast for that to grow to 30% by 2025.
  • More extortion to come. Security vendor BeyondTrust predicted that there will be a variation on double extortion with ransomware in 2022, as attackers try to execute more personalized attacks.
  • Rise of intermittent encryption. In August 2021, security vendor Sophos first detected a new approach inside ransomware known as intermittent encryption. Intermittent encryption only encrypts parts of files, making them appear as corrupted data. The approach can bypass many forms of current ransomware protection and detection.

How to protect against ransomware attacks

Organizations and individuals can take steps to mitigate ransomware attacks. But there is no silver bullet that will solve or defend against ransomware. What's needed is a multilayered approach to improve IT security overall. There are six key steps to safeguard assets against ransomware risks:

  1. Maintain a defense-in-depth security program. Ransomware is just one of many risks that IT users face. Having multiple layers of defense is a key best practice.
  2. Consider advanced protection technologies. The use of extended detection and response can help organizations identify potential risks that could lead to ransomware exploitation.
  3. Educate employees about the risks of social engineering. More often than not, it's users clicking on something that they shouldn't that can lead to infection. Education and vigilance are important.
  4. Patch regularly. Ransomware code often targets known vulnerabilities. By keeping software and firmware updated, a possible attack vector can be eliminated.
  5. Perform frequent backups of critical data. Ransomware's target is data. By having reliable backups, the risk of losing data can be minimized.
  6. Consider tabletop exercises. Preparing for ransomware with a tabletop exercise can identify potential gaps and ensure the right process is in place to mitigate and recover from a potential attack.

Next Steps

3 ransomware distribution methods popular with attackers

4 types of ransomware and a timeline of attack examples

Top 3 ransomware attack vectors and how to avoid them

8 cybersecurity books to read in 2022

This was last published in February 2022

Dig Deeper on Threats and vulnerabilities