New Ransomware Research Shows Growth Trends Across the Threat Landscape

While ransomware has been a problem for three decades, the last few years brought rapid changes to the threat ecosystem. New research from the Abnormal Threat Intelligence team shows that ransomware delivery methods have evolved, payouts are growing in frequency and total cost, and there are more malicious actors participating in ransomware than ever before.

Published today, The Evolution of Ransomware: Victims, Threat Actors, and What to Expect in 2022 showcases new research into the victimology of ransomware, with deep insights into victims by industry, by size, and by location. We also include research on threat actors groups and their emergence over the past two years, with new groups surfacing to replace those being taken down.

From the start of 2020 to the end of 2021, the Abnormal team identified 4,200 companies, organizations, and government institutions that have all fallen victim to a ransomware attack.

One of the biggest misconceptions about ransomware attacks is that they primarily impact large organizations that can afford to pay substantial ransoms. After all, most of the attacks reported in the media are generally those that victimized big, notable companies. Based on our data, however, the belief that these large enterprises are the preferred targets of ransomware actors is a myth.

The median estimated annual revenue for companies victimized by ransomware in 2020 and 2021 was just $27 million. Nearly a third of all victims had an annual revenue of less than $10 million and just under 60% of victims generated an annual revenue of less than $50 million, meaning a majority of ransomware targets can be classified as small businesses. Only 10% of ransomware victims were enterprise-sized companies with an annual revenue of more than $1 billion.

While this appears to run counter to the conventional wisdom that the largest entities with the choicest data and heftiest budgets are the most attractive ransomware targets, this distribution makes sense. And because smaller companies are generally unable to invest large amounts of money in cybersecurity, they’re more likely to have fewer defenses in place that may prevent ransomware attacks, making them better opportunistic targets.

Although companies in the United States have received half of the attacks since 2020, ransomware is a global problem. It’s most prevalent in countries with a high GDP, although it’s not as pervasive in Asian countries and is nonexistent in Russia. Because many top ransomware groups are based in Russia, they may purposefully avoid ruffling feathers by not targeting domestic companies.

Like most cyber attacks, the United States is the home for a majority of ransomware victims, with just over half of ransomware victims since the beginning of 2020 located in one of the fifty states. Interestingly, the significant focus from United States authorities on ransomware in the first half of 2021 seems to have done little to deter ransomware actors from targeting American companies. The last quarter of 2021 saw the highest number of ransomware victims in the United States in the past two years—a 43% increase from the previous quarter.

As the number of victims has increased over the last two years, the number of players in the ransomware space has also grown substantially. Similar to what we saw in 2016, when ransomware saw its initial global explosion, a growing number of minor threat groups have entered the scene—piggybacking on the success of the more established groups.

We tracked 62 different ransomware groups and their activities since January 2020. While some of these were merely rebranded variations of previous ransomware strains, such as Maze rebranding to Egregor or DarkSide renaming itself BlackMatter, most of these groups are unique threats that have emerged for a few months at a time in smaller volumes. The number of active ransomware groups each month has increased dramatically, growing from just three in February 2020 to a peak of 28 in November 2021.

Five groups—Conti, LockBit, Pysa, REvil, and Maze/Egregor—were responsible for more than half of all ransomware attacks over the past two years. Three of those groups are still active today and they make up nearly two-thirds of the present ransomware attack volume.

One of the biggest challenges to disrupting the ransomware landscape in the past few years has been the hydra-like nature of how it has grown. Whenever a primary group has exited the scene, one or more new big groups enter, along with even more smaller groups. So while we’ve actually seen a fair amount of turnover among the top ransomware groups, the total volume of attacks has remained consistently high. This is because existing groups are being replaced by new ones, leading to the overall number of active groups increasing by seven times since January 2020.

As our research has shown, ransomware is an increasing threat that continues to grow across all industries, all company sizes, and all countries. Ransomware actors have proven that they are focused on one thing: making money in whatever way possible. These actors are targeting everyone, and due to a variety of factors, the payout amounts are increasing substantially.

With the largest payout ever costing CNA Financial $40 million in March 2021, it is clear that ransomware is a threat against which every organization should protect itself. Now is the time to secure your email and protect your end users from these malicious emails—before the next ransomware attack impacts you.

To learn more about this research, download the entire report titled The Evolution of Ransomware: Victims, Threat Actors, and What to Expect in 2022.