Ransomware statistics for 2021: Q1 report
After an extremely profitable 2020, there was little chance of threat actors taking their foot off the gas as we entered 2021.
In the first quarter of the year, tens of thousands of businesses, public entities and home users were hit by ransomware. Some of the most notable incidents included a Phoenix CryptoLocker attack on CNA Financial, one of the largest insurers in the U.S.; a Conti attack on Florida’s Broward County Public Schools, the sixth largest public school system in the U.S.; and a REvil attack on computer giant Acer, in which threat actors demanded the largest (publicly known) ransom to date – $50 million.
In Q1, we saw some rare legal action taken against ransomware actors. In January, a coordinated international law enforcement effort resulted in the indictment of a Canadian national associated with the NetWalker ransomware and the seizure of a dark web resource used by NetWalker affiliates to communicate with victims. Also in January, a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine led to the takedown of Emotet, an extremely prolific modular banking trojan that was often used to deliver ransomware.
We also observed some changes in the threat landscape as some bad actors retired and new groups emerged. Q1 marked the departure of FonixCrypter, a ransomware operation that had been moderately active since its inception in in mid-2020. The group released the FonixCrypter master decryption keys and a rudimentary decryption tool, along with an apology for their actions. We also saw the arrival of Babuk, a new ransomware variant laden with design flaws that could unintentionally cause permanent data loss.
The following statistics are based on data from 96,023 submissions to Emsisoft and ID Ransomware between January 1 and March 31, 2021. Created by Emsisoft Security Researcher Michael Gillespie, ID Ransomware is a website that allows users to identify which ransomware strain has encrypted their files by uploading the ransom note, a sample encrypted file and/or the attacker’s contact information. It also directs the user to a decryption tool, should one be available.
Note: We estimate that only 25 percent of victims make a submission to Emsisoft or ID Ransomware, so the real number of incidents is probably significantly higher.
Most commonly reported ransomware strains of Q1 2021
The following chart shows the 10 most commonly reported strains of Q1, which collectively made up 80.90% of all submissions this quarter. A ransomware family known as STOP/Djvu was by far the most common strain, accounting for 51.4% of all submissions.
- STOP (Djvu): 51.40%
- Phobos: 6.60%
- Dharma: 5.10%
- Makop: 4.70%
- REvil / Sodinokibi: 4.60%
- Magniber: 2.80%
- LockBit: 1.50%
- GlobeImposter 2.0: 1.50%
- Cryakl: 1.40%
- Mars: 1.30%
Most commonly reported ransomware strains of Q1 2021 (STOP excluded)
The following chart shows the 10 most commonly reported strains of Q1 with STOP submissions excluded.
- Phobos: 13.60%
- Dharma: 10.60%
- Makop: 9.70%
- REvil / Sodinokibi: 9.50%
- Magniber: 5.80%
- LockBit: 3.20%
- GlobeImposter 2.0: 3.00%
- Cryakl: 2.80%
- Mars: 2.60%
- Zeppelin: 2.40%
Most ransomware submissions by country
The following chart shows the 10 countries that accounted for the most ransomware submissions, with STOP submissions included. These 10 countries made up 58.10% percent of all global submissions this quarter.
- India: 12.50%
- Indonesia: 9.90%
- South Korea: 8.90%
- Pakistan: 8.00%
- US: 4.70%
- Egypt: 3.80%
- Brazil: 3.40%
- Italy: 2.50%
- Spain: 2.20%
- Turkey: 2.20%
STOP/Djvu, consistently the most submitted ransomware strain in 2020, was the most common ransomware this quarter, accounting for 51.40% of all submissions. Unlike many other ransomware variants, which tend to target high-value organizations, STOP primarily impacts home users and typically spreads through cracked software, key generators and activators. With STOP submissions excluded, we can see a much more balanced distribution of submissions, particularly among the four most common ransomware strains: Phobos, Darma, Makob and REvil.
Geographically, just 10 nations accounted for almost 6 in 10 of all global ransomware submissions this quarter. Submissions were heavily skewed toward Asia, with Asian nations accounting for 41.5% of submissions. India, consistently the leading ransomware submitter throughout 2020, again claimed the top spot in Q1 of 2021.