- Apr 24, 2016
Ransomware statistics for 2021: Q2 report
The second quarter of 2021 marked the biggest ransomware attack on U.S. infrastructure to date. On May 7, The Colonial Pipeline Company, which operates the largest pipeline system for refined oil products in the United States, was infected with DarkSide ransomware. The attack resulted in a six-day shutdown that was only resolved when Colonial Pipeline paid the $4.4 million ransom – a decision that CEO Joseph Blount described as “the right thing to do for our country.”
The attack was, perhaps, a little too successful. The incident caused widespread disruption to the fuel supply chain, resulting in gas prices hitting a six-year high and drawing significant attention from the White House. Following pressure from U.S. authorities and the alleged seizure of their public-facing servers, DarkSide had little choice but to shut down operations.
The incident caused ripples elsewhere in the ransomware market. To avoid attracting unwanted attention, some cybercrime forums began removing all references to ransomware, while ransomware groups like Avaddon and Sodinokibi announced that they would begin imposing restrictions on which targets their affiliates would be permitted to attack.
DarkSide wasn’t the only group to retire in Q2. Avaddon followed suit in June, announcing its retirement and releasing free keys for all of its victims, enabling us to release a decryptor which past victims can use to recover their encrypted data.
In Q2, we saw a number of cases of threat actors encrypting data with multiple strains of ransomware in a single attack. Double encryption makes recovery – an already challenging process – even more complex and puts further pressure on victims to comply with attackers’ demands. Whether these cases were isolated incidents or the start of a new trend remains to be seen.
Most commonly reported ransomware strains of Q2 2021
- STOP (Djvu): 71.20%
- Phobos: 3.50%
- REvil / Sodinokibi: 2.40%
- QLocker: 2.30%
- Makop: 2.20%
- Dharma (.cezar): 2.00%
- Magniber: 1.60%
- eCh0raix / QNAPCrypt: 1.40%
- LockBit: 0.90%
- GlobeImposter 2.0: 0.90%
Most ransomware submissions by country
- India: 21.30%
- Indonesia: 10.00%
- South Korea: 5.50%
- Egypt: 4.10%
- Brazil: 3.90%
- Pakistan: 3.80%
- United States: 3.40%
- Germany: 2.50%
- Philippines: 1.90%
- Italy: 1.70%
We saw a significant increase in ID Ransomware submission numbers this quarter, with submissions rising from 96,023 in Q1 to 137,537 in Q2 – an increase of 43.23%.
STOP/Djvu remained the most commonly submitted ransomware family in Q2, accounting for 71.2% of all submissions, up from 51.4% in Q1. STOP is a prolific strain of ransomware that primarily impacts home users and is typically distributed via cracked software, key generators and activators.
This quarter, well-known vulnerabilities in QNAP devices resulted in a sharp rise in QNAP-targeted ransomware. The most active was Qlocker, a new ransomware variant that targets owners of QNAP NAS devices and demands a relatively small ransom of $500. Despite its short lifespan – Qlocker emerged in April and shut down its operation just a few weeks later after generating around $350,000 – Qlocker was the fourth most commonly submitted strain this quarter and accounted for 2.30% of all submissions.
The threat actors behind eCh0raix, a ransomware gang that was first detected in June 2019, also launched a campaign aimed at QNAP storage devices. Dubbed QNAPCrypt, the ransomware was responsible for 1.40% of all submissions this quarter.
India, which has made the most submissions every quarter since we began these quarterly reports, accounted for 21.3% of all global submissions in Q2, up significantly from 12.5% in Q1. Spain and Turkey, which each accounted for 2.2% of all submissions in Q1, fell out of the top 10 list in Q2, replaced by Germany (2.5%) and the Philippines (1.9%).