It was a turbulent quarter for ransomware. The price of bitcoin surged, climbing from just under $16,000 at the start of the quarter to more than $40,000. With bitcoin being the cryptocurrency of choice for most ransomware operations, bitcoin gains translate to a direct increase in profits for cybercriminals.
Despite the frothy crypto market conditions, Maze decided to retire. The prolific ransomware gang, which gained notoriety for being one of the first groups to use exfiltrated data as additional leverage in ransomware attacks, announced in November that it would be shutting down its operations.
Maze’s retirement left a hole in the ransomware scene, which was quickly filled by Egregor. First observed in September 2020, Egregor affiliates ramped up their efforts significantly in Q4, impacting hundreds of organizations, including Ubisoft, Barnes & Noble and Randstad. Egregor is the first ransomware to ‘print bomb’ victims, whereby ransom notes are printed on available printers on the compromised network.
In Q4, we saw Microsoft take action to combat ransomware ahead of the U.S. elections. Working with telecommunications providers around the world, the tech giant shut down 94% of the operational infrastructure belonging to TrickBot, a massive botnet that was often used to distribute ransomware.
Even with TrickBot out of the picture, the U.S. election process was not entirely immune to the effects of ransomware. In October, it emerged that Tyler Technologies, a Texas company that provides software used by cities and states to display results on election night, allegedly paid an undisclosed ransom to obtain a decryptor after falling to a ransomware attack in late Q3. Later that month, election infrastructure in Hall Country, Georgia, was hit by a ransomware attack, which disrupted phone and email services and disabled a database used by the county to verify voters’ signatures on absentee ballots.
The following statistics are based on 126,359 ransomware submissions made to Emsisoft and ID Ransomware between October 1 and December 31, 2020. Created by Emsisoft Security Researcher Michael Gillespie, ID Ransomware is a service that enables organizations and individuals to identify which ransomware strain has encrypted their files and provides a free decryptor should one be available.
Note: We estimate that only 25 percent of victims make a submission to Emsisoft or ID Ransomware, so the real number of incidents is probably significantly higher.
Most commonly reported ransomware strains of Q4 2020 (STOP included)
The following chart shows the 10 most commonly reported strains of Q4. A ransomware family known as STOP/Djvu was by far the most common strain, accounting for 68.90% of all submissions.
- STOP (Djvu): 68.90%
- Dharma (.cezar family): 8.40%
- Phobos: 7.20%
- REvil / Sodinokibi: 3.50%
- LockBit: 3.20%
- Magniber: 2.20%
- Mars: 1.90%
- Makop: 1.80%
- Cryakl: 1.50%
- GlobeImposter 2.0: 1.50%
Most commonly reported ransomware strains of Q4 2020 (STOP excluded)
The following chart shows the 10 most commonly reported strains of Q4 with STOP submissions excluded.
- Dharma (.cezar family): 25.70%
- Phobos: 22.30%
- REvil / Sodinokibi: 10.70%
- LockBit: 9.90%
- Magniber: 6.70%
- Mars: 5.90%
- Makop: 5.40%
- Cryakl: 4.60%
- GlobeImposter 2.0: 4.50%
- Zeppelin: 4.30%
Most ransomware submissions by country
The following chart shows the 10 countries that accounted for the most ransomware submissions in Q4, with STOP submissions included.
- India: 26.20%
- Indonesia: 20.40%
- South Korea: 10.00%
- Pakistan: 9.30%
- USA: 8.00%
- Egypt: 7.30%
- Brazil: 6.80%
- Philippines: 4.20%
- Turkey: 3.90%
- Spain: 3.90%
Discussion
In every quarter this year, STOP/Djvu has been responsible for the most ransomware submissions. Q4 was no exception. This quarter, STOP accounted for 68.90% of global ransomware submissions, down slightly from 69.90% in Q3. There are more than 160 variants of STOP ransomware, which usually spreads through cracked software, key generators and activators.
Comparing Q3 to Q4 reveals some minor changes in the most commonly reported ransomware strains. Avaddon, the fifth most submitted ransomware in Q3, did not make the top 10 in Q4, and was replaced by Mars, which entered the list at number seven.
Ten countries spanning five continents were responsible for more than half of all submissions in Q4. India, which held the top spot in Q1, Q2 and Q3, was again responsible for the most ransomware submissions, with submissions decreasing from 28.50% in Q3 to 26.20% in Q4.
Indonesia experienced the largest percentage change of any nation in Q4, with submissions increasing 4.1% from Q3 to reach a year-high of 20.40%. Bangladesh, which accounted for the ninth most submissions in Q3, dropped off the list in Q4, and was replaced by Spain, which entered the Q4 list in 10th position.