2020, the year of the pandemic, was another lucrative year for ransomware. As nations around the world scrambled to slow the spread of the virus, cybercriminals attempted to capitalize on the chaos.
With attack surfaces expanded, sensitive company data being accessed from vulnerable devices and remote staff inevitably cutting corners on normal security protocols, COVID created the perfect environment in which ransomware could thrive.
RDP became the attack vector of choice as threat actors preyed on ad-hoc remote working implementations, while ransomware groups pivoted their existing infrastructure to launch COVID-themed attacks that sought to exploit the public’s interest in the ongoing health crisis.
The security challenges of COVID were exacerbated by threat actors’ rapid uptake of data exfiltration. Inspired by data-leak pioneers Maze, dozens of other ransomware groups began incorporating data theft into their attacks and using the stolen data as leverage to coerce victims into paying. Non-payment usually resulted in the stolen data being sold, auctioned, or, more commonly, published on the attacker’s leak site for all to see.
Over the course of 2020, various ransomware groups retired or fizzled out and were replaced by newcomers or reemerged under new names. Perhaps the most notable retirement was that of Maze, an extremely prolific ransomware group that announced in November that it would be shutting down operations. This year, we also saw Microsoft take down 94 percent of the servers belonging to TrickBot, an enormous botnet comprised of at least one million infected devices that operators would commonly rent to ransomware gangs.
The following statistics are based on 506,185 ransomware submissions made to Emsisoft and ID Ransomware between January 1 and December 31, 2020. Created by Emsisoft Security Researcher Michael Gillespie, ID Ransomware is a service that enables organizations and individuals to identify which ransomware strain has encrypted their files and provides a free decryptor should one be available.
Note: We estimate that only 25 percent of victims make a submission to Emsisoft or ID Ransomware, so the real number of incidents is probably significantly higher.
Most commonly reported ransomware strains of 2020 (including STOP)
The following chart shows the 10 most commonly reported strains of 2020. STOP/Djvu was by far the most frequently submitted ransomware strain, accounting for 71.20% of all submissions.
- STOP (Djvu): 71.20%
- Phobos: 8.90%
- Dharma (.cezar Family): 7.90%
- REvil / Sodinokibi: 3.40%
- LockBit: 1.90%
- GlobeImposter 2.0: 1.70%
- Magniber: 1.70%
- Makop: 1.30%
- Avaddon: 1.10%
- Zeppelin: 1.00%
Most commonly reported ransomware strains of 2020 (STOP excluded)
The following chart shows the 10 most commonly reported strains of 2020 with STOP/Djvu submissions excluded.
- Phobos: 29.90%
- Dharma (.cezar Family): 26.80%
- REvil / Sodinokibi: 11.40%
- LockBit: 6.40%
- GlobeImposter 2.0: 5.70%
- Magniber: 5.70%
- Makop: 4.30%
- Avaddon: 3.80%
- Zeppelin: 3.20%
- Cryakl: 2.80%
Most ransomware submissions by country
The following chart shows the 10 countries that accounted for the most ransomware submissions, with STOP submissions included.
- India: 27.40%
- Indonesia: 15.10%
- USA: 10.90%
- Egypt: 10.00%
- Pakistan: 8.90%
- Brazil: 8.00%
- South Korea: 7.60%
- Philippines: 4.50%
- Turkey: 4.20%
- Italy: 3.40%
Number of submissions by month and year
The following chart shows the number of submissions by month, with STOP submissions included.
2019 | 2020 | % Change | |
January | 24,935 | 39,855 | 59.84 |
February | 17,833 | 42,294 | 137.17 |
March | 20,381 | 41,097 | 101.64 |
April | 20,851 | 53,494 | 156.55 |
May | 27,114 | 44,565 | 64.36 |
June | 28,861 | 38,153 | 32.20 |
July | 29,108 | 39,607 | 36.07 |
August | 45,382 | 39,438 | -13.10 |
September | 56,542 | 41,323 | -26.92 |
October | 56,545 | 31,997 | -43.41 |
November | 68,707 | 48,444 | -29.41 |
December | 54,123 | 45,918 | -15.16 |
Total | 450,382 | 506,185 | 12.39 |
Number of submissions by quarter
The following chart shows the number of submissions by quarter, with STOP submissions included.
2019 | 2020 | % Change | |
Q1 | 63,149 | 123,246 | 95.17 |
Q2 | 76,826 | 136,212 | 77.30 |
Q3 | 131,032 | 120,368 | -8.14 |
Q4 | 179,375 | 126,359 | -29.56 |
Summary
The total number of ransomware submissions increased by 12.39% between 2019 and 2020. Q1 saw a dramatic year-on-year increase of 95.17%, while the number of submissions in Q4 dropped by 29.56%. The biggest fluctuations in the number of submissions occurred in April (156.55%), February (137.17%) and March (101.64%).
Of the 587 ransomware variants submitted over the year, STOP/Djvu was by far the most common. There are more than 160 confirmed variants of STOP, which collectively accounted for 71.20% of all submissions in 2020. Some older strains of STOP can be decrypted with our free STOP decryption tools, but newer variants cannot be decrypted.
More than half of all submissions (52.60%) in 2020 came from just 10 countries. While ransomware is a truly global threat, the data indicates that Asia was perhaps the most commonly targeted region. With six nations in the top 10 (including transcontinental Turkey), Asia accounted for more than a third (35.70%) of all ransomware submissions in 2020. India had the most ransomware submissions in each quarter this year and was responsible for 14.40% of all submissions in 2020.