700M Attacks in 2021 and Counting: Can Businesses Fight the Ransomware Tsunami?


The threat posed to organizations worldwide by ransomware operations has grown by an unprecedented scale in 2021. Ransomware attacks are now occurring by the hundreds of millions, forcing organizations to increase spending on cybersecurity solutions. But can the ransomware crisis ever be effectively contained? Let’s look at how ransomware operators disrupted businesses worldwide in 2021 and solutions that can help disrupt, if not wholly destroy, the ransomware business model.  

Considering the scale at which organizations use third-party software, use hundreds of internal and public-facing applications and websites depending on digital supply chains, and share data with vendors to operate effectively, securing all digital assets is a major challenge. The growing ability of ransomware operators to freeze operations and encrypt business-critical data seldom leaves organizations with any choice other than to pay a ransom.

2021 Ransomware Attacks in Numbers

SonicWall’s recently-released Q3 Threat ReportOpens a new window gives us a peek into the scale at which the cybercriminal community is leveraging ransomware as its weapon of choice to target organizations worldwide. The security firm logged over 495 million ransomware attacks in the first three quarters of 2021 and believes the total number of ransomware attacks targeting organizations worldwide will exceed 700 million by the end of the year.

In Q3 alone, the security solutions company recorded 190.4 million ransomware attempts. In comparison, the company logged 195.7 million total ransomware attempts during the first three quarters of 2020. It also logged 1,748 attempts per customer, equivalent to 9.7 ransomware attempts per customer each business day. Between Q1 and Q3, it also observed more than 3.9 trillion intrusion attempts. 

Fig 1: The Number of Ransomware Attacks Targeting Businesses in 2020 and 2021 (SonicWall)

For business leaders who believe ransomware attacks may target their businesses once in a while, the report from SonicWall is an eye-opener. Ransomware attacks aren’t once-in-a-while incidents anymore, but a massive tsunami that’s growing in scale and ferocity and testing cybersecurity defenses at all times.

“As we see it, ransomware is on a nearly unimaginable upward trend, which poses a major risk to businesses, service providers, governments and everyday citizens. The real-world damage caused by these attacks is beyond anecdotal at this point. It’s a serious national and global problem that has already taken a toll on businesses and governments everywhere,” said SonicWall president and CEO Bill Conner.

Dmitriy Ayrapetov, SonicWall’s vice president of Platform Architecture, said that the techniques deployed by ransomware actors have evolved well beyond the smash-and-grab attacks from just a few years ago.  “Today’s cybercriminals demonstrate deliberate reconnaissance, planning and execution to surgically deploy toolchains targeting enterprise and government infrastructure. This results in larger victims and leads to higher ransoms.”

See More: Ransomware: Is Your Sensitive Data Protected, or Will You Have To Pay Up?

Rise in ransomware payouts indicates businesses seldom have any other choice

In a recent report, Mimecast revealed that 39% of organizations paid a ransom to restore operations. U.S.-based organizations paid $6,312,190 to hackers on average, those in Canada spent $5,347,508, and those in the U.K. paid $848,377 on average. In October, the U.S. Treasury Department also revealed that victim organizations paid a total of $590 million to ransomware operators in the first six months of 2021. In comparison, U.S.-based organizations paid a total ransom of $416 million in all of 2020.

Josh Rickard, security solutions architect at Swimlane, predicts that the average ransomware payout will double in 2022 thanks to the proliferation of Ransomware as a Service (RaaS) proliferates. “Similar to how cybercriminals have developed phishing kits to launch attacks with minimal effort, ransomware groups will seek to grow the RaaS ecosystem and improve infrastructure. In 2022, this will make it even easier to deploy ransomware attacks and will lead to a rise in more sophisticated attacks such as double extortion,” he says.  

Can the Rising Tide of Ransomware Attacks Be Repelled?

 Reading the ransomware statistics from 2021 may give an impression that governments and organizations worldwide lack the tools or strategies to end the menace for good. It is true that until recently, governments have not paid much attention to the threat posed by ransomware. There is also not much to support that joint actions have disrupted malicious cyber operations completely, considering that many of the perpetrators live within the comforts of international borders.

Governments leading the charge in taking down ransomware gangs

Earlier this year, cybersecurity firm Emsisoft found a way to help multiple victims of the BlackMatter ransomware group recover their files without paying a dime. This occurred after the firm discoveredOpens a new window a critical flaw in the BlackMatter ransomware and exploited it to help out a number of large organizations whose data had been encrypted by the ransomware’s operators.

Even though Emsisoft’s breakthrough was short-lived as the ransomware group discovered the flaw in September and quickly fixed it, BlackMatter found it difficult to survive too as law enforcement operations went into overdrive. As the group decided to shut shop earlier this month, the U.S. State Department also announced a $10 million bounty on the heads of the operators of the DarkSide ransomware group, which gained notoriety for targeting Colonial Pipeline. As per reports, DarkSide quickly went dark in April before resurfacing as BlackMatter a few months later.

In November, a multi-national law enforcement operation also succeeded in nabbing key members of the REvil ransomware gang. Cybersecurity companies branded the gang among the most notorious ransomware operators since it first emerged in April 2019. According to IBM, REvil was responsible for almost one in three (29%) ransomware attacks since 2020. The gang was also responsible for targeting Florida-based IT supplier Kaseya with a ransomware attack, which impacted 1,500 downstream organizations and 36,000 customers and thousands of MSPs.

See More: Why Immutable Backups Are Essential to Recovering from Ransomware Attacks

It’s foolish to assume that ransomware operations will ever end

The takedown of the DarkSide and REvil ransomware gangs indicates that governments have the expertise and the will to take down the most prominent operators, even if they hide behind international borders. However, Neil Jones, a cybersecurity expert at Egnyte, says that organizations can never let their guard down and must continue with proven detection and mitigation strategies as new ransomware infrastructure can be brought online quickly.

Calvin Gan, a senior manager with F-Secure’s tactical defense unit, says that the recent arrests and takedowns shouldn’t be seen as the end because the financial motivation behind these attacks is probably far too large for them to give up easily. At the same time, there are still other active ransomware groups operating, so organizations and defenders should not be taking a hiatus but focus on disrupting them further. 

“It would not be surprising if this particular group rebrands in later months, as this would not be the first time nor the first group who has rebranded (eg. REvil a rebrand of GandCrab, Conti ransomware being the successor of Ryuk or Karma ransomware likely a rebrand of Nemty ransomware).”

It’s time for a fresh approach to curtail the ransomware menace

The era of relying on perimeter defenses to prevent ransomware infections is over, says Jon Toor, CMO of Cloudian. He believes that if the same mindset persists, security experts will continue to miss the mark with ransomware protection.

 “Security experts continue to tout increased perimeter defense as the catch all for ransomware protection. However, 49% of businesses that experienced an attack had perimeter defenses in place and ransomware still managed to get in. In addition, 65% of the organizations that were penetrated through phishing emails had conducted anti-phishing training for employees,” he said. 

In recent years, organizations have begun adopting zero trust solutions, data backup solutions, and Identity and Access Management solutions to strengthen their ransomware defenses. However, they often overlook some key concerns because of which ransomware attacks continue to succeed. According to Mimecast’s research, 55% of cybersecurity professionals said their organizations do not have file backups that would allow them to avoid paying the ransom or mitigate damage from an attack.

At the same time, 46% of cybersecurity professionals are not satisfied with the frequency of security awareness training for end-users, 45% don’t believe they are allocated sufficient budgets to fund more up-to-date data security systems, and 40% of professionals want greater sharing of threat data to be able to stop or mitigate ransomware attacks. These factors indicate that the average organization’s cyber preparedness is informed more by cultural and monetary factors than technological ones.

Organizations also cannot hope for ransomware attacks to dissipate if they continue to pay ransom and, at the same time, relegate cybersecurity in favor of other digital transformation projects. Trend Micro’s Global Risk Study, published in November, revealed that 90% of IT decision makers claim their business would be willing to compromise on cybersecurity in favor of digital transformation, productivity, or other goals. 82% of decision-makers have also felt pressured to downplay the severity of cyber risks to their board.

52% of IT decision-makers also told Trend Micro that their organization’s attitude to cyber risk is inconsistent and varies from month to month. While 61% believe it would take a breach of their organization to make the C-Suite sit up and take notice, a similar number believe cybersecurity will become a core concern only if customers start demanding more sophisticated security credentials. 

“IT leaders are self-censoring in front of their boards for fear of appearing repetitive or too negative, with almost a third claiming this is a constant pressure. But this will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure,” said Bharat Mistry, UK technical director for Trend Micro. 

“We need to talk about risk in a way that frames cybersecurity as a fundamental driver of business growth – helping to bring together IT and business leaders who, in reality, are both fighting for the same cause.”

In short, there are enough tools and solutions in the market to help you beat ransomware. All you need to do is let your CISO take the stage. 

Do you think organizations are still prioritizing business transformation projects at the expense of cybersecurity? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!