Ransomware Takeaways: Q2 2021

Backblaze Ransomware Takeaways: Q2 2021

A lot has happened since we published our last Ransomware Takeaways, and it’s only been three months. High-profile attacks dominated headlines last quarter, but the attacks few of us ever hear about made up the majority, often with more serious consequences than higher gas prices. In a recent survey of 130 hospitals and healthcare organizations, nearly half of them reported they had to disconnect their networks in the first half of 2021 due to ransomware.

You surely follow ransomware news if you have any responsibility for your organization’s IT infrastructure and/or data. Still, since the dynamics are ever changing, you might find it useful to see the bigger picture developments as we’re seeing them, to help inform your decision making. Here are five quick, timely, shareable takeaways from our monitoring over Q2 2021.

This post is a part of our ongoing series on ransomware. Take a look at our other posts for more information on how businesses can defend themselves against a ransomware attack, and more.

➔ Download The Complete Guide to Ransomware E-book

1. Ransom Demands Hit New Highs

The REvil ransomware syndicate started negotiations at $70 million in an attack on Kaseya that affected 1,500 businesses that use the company’s software products. The $70 million demand follows on the heels of two $50 million demands by REvil against computer manufacturer, Acer, in March and Apple supplier, Quanta, in April.

While the highest demands reach astronomical heights, average demands are also increasing according to cybersecurity and cyber insurance firm, Coalition. In their H1 2021 Cyber Insurance Claims Report, they noted the average ransom demand made against their policyholders increased to $1.2 million per claim in the first half of 2021, up from $450,000 in the first half of 2020.

2. Ransom Payments Appeared to Fluctuate

In their 2021 Ransomware Threat Report, Cybersecurity firm, Palo Alto Networks, noted an 82% increase in average ransom payments in the first half of 2021 to a record $570,000. While cybersecurity firm, Coveware, which tracks payments quarterly, reported a lower figure—in Q2 of 2021, they put average payments at $136,576 after hitting a high of $233,817 in Q4 of 2020. The different sources show different trends because tracking payments is a tricky science—companies are not required to report incidents, let alone ransoms demanded or payments made. As such, firms that track individual payments are limited by the constituencies they serve and the data they’re able to gather.

Taking a different approach, Chainalysis, a blockchain data platform that tracks payments to blockchain addresses linked to ransomware attacks, showed that the total amount paid by ransomware victims increased by 311% in 2020 to reach nearly $350 million worth of cryptocurrency. In May 2021, they published an update after identifying new addresses that put the number over $406 million. They expect the number will only continue to grow.

We’ll continue to track reporting from around the industry and account for variances in future reporting, but the data does tell us one thing—ransomware continues to proliferate because it continues to be profitable.

3. Double Extortion Tactics Are Increasing

In addition to encrypting files, cybercriminals are stealing data with threats to leak it if companies don’t pay the ransom. This trend is particularly concerning for public sector organizations and companies that maintain sensitive data like the Washington, D.C. Metropolitan Police Department—the victim of a May 2021 attack by the Babuk group that leaked sensitive documents including staff disciplinary records and security reports from the FBI and CIA.

Double extortion is not new—the Maze ransomware group carried out the first extortion attack in 2019, but the tactic is becoming more prevalent. In their Threat Report, Palo Alto Networks found that at least 16 ransomware variants currently employ this approach, and they expect more ransomware brands to adopt the tactic.

4. Ransomware Syndicates Are in Flux

The limelight is not a place most ransomware syndicates want to be. We’ve seen reports that the DarkSide group, responsible for the Colonial Pipeline attack, seems to have dissolved under the increased attention. But, the ransomware economy is porous, and different sources report that the muscle behind the gang may simply have changed horses to a new brand—BlackMatter—or a simply a different one—LockBit, the group allegedly responsible for the reported attack on Accenture. Like a high-stakes game of whack-a-mole, ransomware brands and groups are continuing to morph and change as authorities get wise to their tactics.

5. SMBs Continue to Be Main Targets, and Healthcare Suffered Doubly

Coalition reported that attacks on organizations with fewer than 250 employees increased 57% year over year. And, according to Coveware, over 75% of attacks in Q2 2021 targeted companies with less than 1,000 employees.

Ransomware Distribution by Company Size

Cybercriminals target organizations of this size because they know they’re vulnerable. Small and medium-sized businesses (SMBs) with strapped IT budgets are less likely to have the resources to protect themselves and more likely to pay the ransom rather than suffer extended downtime trying to recover from an attack.

While hospitals struggled to respond to the global COVID-19 pandemic, they also suffered cybersecurity breaches at an alarming rate. As noted above, almost half of 130 hospitals surveyed in a new study reported that they disconnected their networks in the first half of 2021 due to ransomware. Some did so as a precautionary measure while others were forced to do so by the severity of the ransomware infection. Medium-sized hospitals with less than 1,000 beds experienced longer downtime and higher losses than larger institutions, averaging almost 10 hours of downtime at a cost $45,700 per hour. As we reported in our last quarterly update, relying on the goodwill of cybercriminals to forgo attacks on organizations that serve the public good is a mistake.

The Good News

This quarter, the good news is that the increased attention means ransomware groups are under more scrutiny and more businesses are waking up to the reality that the threat is very, very real. Fortunately, the headlines and numbers make it even easier to justify the investment in ransomware protections, and there are plenty of ways to incorporate them into your cloud infrastructure. If your IT team does one thing in 2021, making ransomware resilience a priority should be it.

What You Can Do to Defend Against Ransomware

For more information on the threat SMBs are facing from ransomware and steps you can take to protect your business, read our Complete Guide to Ransomware.

About Jeremy Milk

Jeremy Milk is a storybuilder who heads the Backblaze Product Marketing team. He's spent more than two decades honing his craft in product and consumer goods marketing leadership roles at companies including Intuit, WePay (acquired by JPMorgan Chase), and The Clorox Company. Outside the office, he can often be found near a soccer field, on a running trail, or fueling on coffee and tacos. Follow him on LinkedIn or Twitter.