The second quarter of 2021 marked the biggest ransomware attack on U.S. infrastructure to date. On May 7, The Colonial Pipeline Company, which operates the largest pipeline system for refined oil products in the United States, was infected with DarkSide ransomware. The attack resulted in a six-day shutdown that was only resolved when Colonial Pipeline paid the $4.4 million ransom – a decision that CEO Joseph Blount described as “the right thing to do for our country.”
The attack was, perhaps, a little too successful. The incident caused widespread disruption to the fuel supply chain, resulting in gas prices hitting a six-year high and drawing significant attention from the White House. Following pressure from U.S. authorities and the alleged seizure of their public-facing servers, DarkSide had little choice but to shut down operations.
The incident caused ripples elsewhere in the ransomware market. To avoid attracting unwanted attention, some cybercrime forums began removing all references to ransomware, while ransomware groups like Avaddon and Sodinokibi announced that they would begin imposing restrictions on which targets their affiliates would be permitted to attack.
DarkSide wasn’t the only group to retire in Q2. Avaddon followed suit in June, announcing its retirement and releasing free keys for all of its victims, enabling us to release a decryptor which past victims can use to recover their encrypted data.
In Q2, we saw a number of cases of threat actors encrypting data with multiple strains of ransomware in a single attack. Double encryption makes recovery – an already challenging process – even more complex and puts further pressure on victims to comply with attackers’ demands. Whether these cases were isolated incidents or the start of a new trend remains to be seen.
The following statistics are based on data from 137,537 submissions to Emsisoft and ID Ransomware between April 1 and June 30, 2021. Created by Emsisoft Security Researcher Michael Gillespie, ID Ransomware is a website that allows users to identify which ransomware strain has encrypted their files by uploading the ransom note, a sample encrypted file and/or the attacker’s contact information. It also directs the user to a decryption tool, should one be available.
Note: We estimate that only 25% of victims make a submission to Emsisoft or ID Ransomware, so the real number of incidents is probably significantly higher.
Most commonly reported ransomware strains of Q2 2021
The following chart shows the 10 most commonly reported strains of Q2, which collectively made up 88.40% of all submissions this quarter. A ransomware family known as STOP/Djvu was by far the most common strain, accounting for 71.20% of all submissions.
- STOP (Djvu): 71.20%
- Phobos: 3.50%
- REvil / Sodinokibi: 2.40%
- QLocker: 2.30%
- Makop: 2.20%
- Dharma (.cezar): 2.00%
- Magniber: 1.60%
- eCh0raix / QNAPCrypt: 1.40%
- LockBit: 0.90%
- GlobeImposter 2.0: 0.90%
Most commonly reported ransomware strains of Q2 2021 (STOP excluded)
The following chart shows the 10 most commonly reported strains of Q2 with STOP submissions excluded.
- Phobos: 12.10%
- REvil / Sodinokibi: 8.20%
- QLocker: 7.80%
- Makop: 7.60%
- Dharma (.cezar): 6.90%
- Magniber: 5.50%
- eCh0raix / QNAPCrypt: 4.70%
- LockBit: 3.00%
- GlobeImposter 2.0: 3.00%
- Zeppelin: 2.40%
Most ransomware submissions by country
The following chart shows the 10 countries that accounted for the most ransomware submissions, with STOP submissions included. These 10 countries made up 58.10% of all global submissions this quarter.
- India: 21.30%
- Indonesia: 10.00%
- South Korea: 5.50%
- Egypt: 4.10%
- Brazil: 3.90%
- Pakistan: 3.80%
- United States: 3.40%
- Germany: 2.50%
- Philippines: 1.90%
- Italy: 1.70%
Discussion
We saw a significant increase in ID Ransomware submission numbers this quarter, with submissions rising from 96,023 in Q1 to 137,537 in Q2 – an increase of 43.23%.
STOP/Djvu remained the most commonly submitted ransomware family in Q2, accounting for 71.2% of all submissions, up from 51.4% in Q1. STOP is a prolific strain of ransomware that primarily impacts home users and is typically distributed via cracked software, key generators and activators.
This quarter, well-known vulnerabilities in QNAP devices resulted in a sharp rise in QNAP-targeted ransomware. The most active was Qlocker, a new ransomware variant that targets owners of QNAP NAS devices and demands a relatively small ransom of $500. Despite its short lifespan – Qlocker emerged in April and shut down its operation just a few weeks later after generating around $350,000 – Qlocker was the fourth most commonly submitted strain this quarter and accounted for 2.30% of all submissions.
The threat actors behind eCh0raix, a ransomware gang that was first detected in June 2019, also launched a campaign aimed at QNAP storage devices. Dubbed QNAPCrypt, the ransomware was responsible for 1.40% of all submissions this quarter.
India, which has made the most submissions every quarter since we began these quarterly reports, accounted for 21.3% of all global submissions in Q2, up significantly from 12.5% in Q1. Spain and Turkey, which each accounted for 2.2% of all submissions in Q1, fell out of the top 10 list in Q2, replaced by Germany (2.5%) and the Philippines (1.9%).