Ransomware Goes Mainstream in 2021

Last year saw ransomware attacks continue to grow into one of the most costly and damaging cybercrimes.  According to one estimate, the direct cost of ransomware rose dramatically from $11 billion in 2019 to $20 billion in 2020. Likewise, the costs to the victims for network downtime doubled between 2019 and 2020. Ransomware gangs have been targeting multiple industries, including among others, defense, aerospace, education, financial services, information technology, and healthcare.


2020 saw a significant evolution of tactics, techniques, and procedures (TTPs) used by ransomware actors. For example, many malicious actors have adopted the double extortion tactic that first emerged in 2019.  Double extortion attacks occur when a ransomware gang threatens to sell or auction a victim’s stolen data. REvil (aka Sodinokibi) was perhaps the first group to execute this tactic when they targeted a Canadian agricultural company that declined to pay a ransom. Since then, the tactic has been copied by multiple gangs. DoppelPaymer and numerous other ransomware groups operate leak sites where they expose extracted data from victims who refuse to pay ransom.

Another tactic observed for the first time last year was when SunCrypt ransomware used distributed denial of service (DDoS) attacks to increase pressure on their victims. Other ransomware families, including Avaddon and REvil, seem to have adopted this tactic as well. Avaddon regularly states on their leak site that their victim will be experiencing DDoS attacks until they start negotiating with threat actors. Similarly, in a recent update of their affiliate program threads on underground forums, REvil announced that the gang was testing Layer 3 and Layer 7 DDoS capabilities.


Figure 1. Avaddon ransomware states that they are utilizing a DDoS attack against their victim.

Source: LookingGlass Research

Cold calling is also a tactic that that first emerged in 2020 and is becoming more popular among ransomware operators in 2021. According to the FBI, DoppelPaymer was the first gang that started harassing their victims with phone calls after ransomware attacks. In fact, these intimidation efforts are becoming so sophisticated that ransomware gangs are utilizing commercial call centers to reach out and harass their victims.

Another worrying trend is that ransomware gangs are increasingly sharing information among themselves. These gangs use underground forums to announce affiliate program and technical software updates. LookingGlass has observed representatives of REvil, Avaddon, Darkside, and Babuk ransomware gangs regularly publishing announcements on prominent underground forums.


The last few years have seen an unprecedented increase in the demands being made by ransomware gangs. According to a Palo Alto Networks analysis, the average ransom paid by organizations in order to obtain a decryption key nearly tripled from $115,123 in 2019 to $312,493 in 2020.

Unfortunately, it’s on the high end of ransom that the potential exposure of victims is increasing most dramatically. Last year saw the highest ever ransom demand of $30 million. However, just this March, that number was eclipsed as Acer was hit by REvil with a $50 million demand from a ransomware attack.


Figure 2: REvil announced an attack, targeting Acer, on their leak site

Source: LookingGlass research

Of course, the most prominent and recent example of ransomware is the recent attack on Colonial Pipeline that netted the hacking group Darkside a $5 million ransom.


The Colonial Pipeline attack illustrated one of the axioms of cybersecurity, that you are only as safe as your weakest link. In this case, the weakness was likely security passwords. Early evidence indicates that Darkside obtained its initial access through the corporate VPN infrastructure using legitimate access credentials. This indicates that it was likely a compromise achieved through a compromised legitimate password.


Based on the explosive growth of ransomware attacks, 2021 will almost certainly set new records for a number of incidents, ransom amounts, and lost time costs for victims. In the first quarter of 2021, there have already been multiple high profile attacks. Additionally, with the advent of remote working, networks are facing ever-increasing threats from malicious actors taking advantage of email and remote servers. The problem is so acute that this year it is expected that there will be a new ransomware attack every 11 seconds.