Ransomware Takeaways: 2021 to Date

rows of Backblaze storage pods

If you’re responsible for the care and feeding of a business’ or organization’s IT infrastructure, you understand the risks ransomware poses. But sometimes it’s challenging to convince your organization of the threat when staying ahead of danger requires change or investment.

That’s why we’re kicking off a regular ransomware digest—not because you need the information, but maybe five quick, up-to-date, shareable takeaways will convince the staffer on your team that does.

This post is a part of our ongoing series on ransomware. Take a look at our other posts for more information on how businesses can defend themselves against a ransomware attack, and more.

➔ Download The Complete Guide to Ransomware E-book

1. Attacks Are Increasing in Frequency and Size

As year-end reports came out, we saw a staggering increase in both the frequency of ransomware incidents and the extortion amounts demanded. Ransomware attacks increased 485% year over year in 2020. And the first quarter of 2021 saw the largest ransom ever demanded hit $50 million when the REvil/Sodinokibi crime syndicate attacked PC manufacturer Acer in March followed by another $50 million demand against Apple supplier Quanta in April. In recent weeks, an attack on Colonial Pipeline Co. shut down the nation’s largest fuel pipeline, and hackers leaked thousands of sensitive documents after targeting the D.C. Metropolitan Police Department.

Attacks are only getting more frequent and bigger in part because ransomware as a service (RaaS) makes it easy for amateur criminals to get in the game. They can shop for RaaS variants designed by more sophisticated syndicates on the dark web and execute them for an affiliate fee.

2. Willingness to Pay Incentivizes More Attacks

Government agencies around the world advise against cooperating with cybercriminals. In fact, it can be illegal. Nonetheless, many organizations still comply with demands, often without reporting incidents for fear of the impact on their reputations or the risk of data exposure. Coveware, a ransomware recovery firm, reported a more than 3,000% increase in average ransom payments to $220,298 since Q3 2018 ($5,973).

Ransom Payments By Quarter

Unfortunately, paying ransoms only serves to normalize payments, embolden criminals, and incentivize higher ransoms. If you need any more convincing, paying the ransom does not ensure your data will be restored or deleted by hackers as Coveware warned in late 2020. Per their reports, they’d seen the following behavior from major cybercrime syndicates:

  • Sodinokibi: Re-extorting victims weeks after being paid.
  • Maze/Sekhmet/Egregor/related groups: Posting data before making a ransom demand.
  • Netwalker: Posting data from companies that already paid.
  • Mespinoza: Posting data from companies that already paid.
  • Conti: Showing fake files as evidence of deletion.

3. Schools and Hospital Systems Make Prime Targets

2020 taught us that relying on the goodwill of hackers to forgo attacks on organizations that serve the public good is far too generous. Schools and hospital systems are not just fair game, they’re prime targets. In 2020, 1,681 schools were affected by ransomware as well as 560 healthcare facilities according to a report by Emsisoft, a cybersecurity firm. Both schools and hospitals manage high volumes of personally identifiable information like social security numbers and patient data, and they may not have the resources to afford dedicated cybersecurity staff. In Q1 of 2021, reports of hospitals and schools hit by ransomware continued to make headlines, like the March attack on Broward County Public Schools where hackers demanded an astronomical $40 million.

4. Attackers Are Targeting Backup Data

Backups are supposed to be a failsafe, but any system that’s online and connected to a network is ripe for ransomware encryption. One security expert explained, “When we say ‘hacker,’ it’s not some kid in his basement. They’re stealthy, professional crime organizations. They attack slowly and methodically. They can monitor your network for months, until they have the keys to the kingdom—including backups—then they pull the trigger. That’s the battle we’re up against.” Fortunately, there are ways to protect your backups using immutability so you can successfully restore them in the event of an attack.

“When we say ‘hacker,’ it’s not some kid in his basement. They’re stealthy, professional crime organizations. They attack slowly and methodically. They can monitor your network for months, until they have the keys to the kingdom—including backups—then they pull the trigger. That’s the battle we’re up against.”
—Gregory Tellone, CEO, Continuity Centers

5. Repeat Attacks Are on the Rise

Unsurprisingly, hackers don’t always keep their promises when companies pay ransoms. In fact, paying ransoms lets cybercriminals know you’re an easy mark. In 2021, we’ve seen reports of repeat attacks, either because companies already demonstrated willingness to pay or because the vulnerability that allowed hackers access to systems remained susceptible to exploitation. Some companies ended up paying a second time.

The Good News

Of course, the good news is that all of this means it’s never been easier to justify investment to proactively protect. In fact, this could be seen as a team’s highest ROI investment when a delayed recovery could disrupt operations, cost sales, and damage reputation, too.

About Jeremy Milk

Jeremy Milk is a storybuilder who heads the Backblaze Product Marketing team. He's spent more than two decades honing his craft in product and consumer goods marketing leadership roles at companies including Intuit, WePay (acquired by JPMorgan Chase), and The Clorox Company. Outside the office, he can often be found near a soccer field, on a running trail, or fueling on coffee and tacos. Follow him on LinkedIn or Twitter.