Emsisoft Blog: Ransomware statistics for 2021: Q2 report

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,919
Ransomware statistics for 2021: Q2 report
The second quarter of 2021 marked the biggest ransomware attack on U.S. infrastructure to date. On May 7, The Colonial Pipeline Company, which operates the largest pipeline system for refined oil products in the United States, was infected with DarkSide ransomware. The attack resulted in a six-day shutdown that was only resolved when Colonial Pipeline paid the $4.4 million ransom – a decision that CEO Joseph Blount described as “the right thing to do for our country.”

The attack was, perhaps, a little too successful. The incident caused widespread disruption to the fuel supply chain, resulting in gas prices hitting a six-year high and drawing significant attention from the White House. Following pressure from U.S. authorities and the alleged seizure of their public-facing servers, DarkSide had little choice but to shut down operations.

The incident caused ripples elsewhere in the ransomware market. To avoid attracting unwanted attention, some cybercrime forums began removing all references to ransomware, while ransomware groups like Avaddon and Sodinokibi announced that they would begin imposing restrictions on which targets their affiliates would be permitted to attack.

DarkSide wasn’t the only group to retire in Q2. Avaddon followed suit in June, announcing its retirement and releasing free keys for all of its victims, enabling us to release a decryptor which past victims can use to recover their encrypted data.

In Q2, we saw a number of cases of threat actors encrypting data with multiple strains of ransomware in a single attack. Double encryption makes recovery – an already challenging process – even more complex and puts further pressure on victims to comply with attackers’ demands. Whether these cases were isolated incidents or the start of a new trend remains to be seen.
Most commonly reported ransomware strains of Q2 2021
  1. STOP (Djvu): 71.20%
  2. Phobos: 3.50%
  3. REvil / Sodinokibi: 2.40%
  4. QLocker: 2.30%
  5. Makop: 2.20%
  6. Dharma (.cezar): 2.00%
  7. Magniber: 1.60%
  8. eCh0raix / QNAPCrypt: 1.40%
  9. LockBit: 0.90%
  10. GlobeImposter 2.0: 0.90%
Most ransomware submissions by country
  1. India: 21.30%
  2. Indonesia: 10.00%
  3. South Korea: 5.50%
  4. Egypt: 4.10%
  5. Brazil: 3.90%
  6. Pakistan: 3.80%
  7. United States: 3.40%
  8. Germany: 2.50%
  9. Philippines: 1.90%
  10. Italy: 1.70%
Discussion
We saw a significant increase in ID Ransomware submission numbers this quarter, with submissions rising from 96,023 in Q1 to 137,537 in Q2 – an increase of 43.23%.

STOP/Djvu remained the most commonly submitted ransomware family in Q2, accounting for 71.2% of all submissions, up from 51.4% in Q1. STOP is a prolific strain of ransomware that primarily impacts home users and is typically distributed via cracked software, key generators and activators.

This quarter, well-known vulnerabilities in QNAP devices resulted in a sharp rise in QNAP-targeted ransomware. The most active was Qlocker, a new ransomware variant that targets owners of QNAP NAS devices and demands a relatively small ransom of $500. Despite its short lifespan – Qlocker emerged in April and shut down its operation just a few weeks later after generating around $350,000 – Qlocker was the fourth most commonly submitted strain this quarter and accounted for 2.30% of all submissions.

The threat actors behind eCh0raix, a ransomware gang that was first detected in June 2019, also launched a campaign aimed at QNAP storage devices. Dubbed QNAPCrypt, the ransomware was responsible for 1.40% of all submissions this quarter.

India, which has made the most submissions every quarter since we began these quarterly reports, accounted for 21.3% of all global submissions in Q2, up significantly from 12.5% in Q1. Spain and Turkey, which each accounted for 2.2% of all submissions in Q1, fell out of the top 10 list in Q2, replaced by Germany (2.5%) and the Philippines (1.9%).
 

SeriousHoax

Level 37
Verified
Mar 16, 2019
2,660
STOP/Djvu remained the most commonly submitted ransomware family in Q2, accounting for 71.2% of all submissions, up from 51.4% in Q1. STOP is a prolific strain of ransomware that primarily impacts home users and is typically distributed via cracked software, key generators and activators.
If you simply do a google search for a cracked version of any popular apps then you'll find a lot of sites that contain fake pro versions of apps that contain only and only malware. Most of these sites are blocked by popular AV products who are known for their top-quality web protection like Bitdefender, ESET, Kaspersky and a few others while Microsoft's SmartScreen and Google Safe browsing just sits there and sleep without any hiccup. I have tried so many times by submitting these sites to Microsoft and Google Safe Browsing but they almost never blacklist these sites. This is very frustrating. Google Safe Browsing and SmartScreen should be more effective. If they were then quite a handful of these ransomware attacks could've been stopped. Many low-knowledged pirated users only know about searching cracked versions of apps on google. I know it's also true that desperate pirated users who have no sense of security would find other ways to get infected anyway but Safe Browsing and SmartScreen should at least have knowledge about those malicious sites which appreas on the first page in a google search. That's the least they should do.
 
Top