New Ransomware Research Shows Growth Trends Across the Threat Landscape

January 25, 2022

While ransomware has been a problem for three decades, the last few years brought rapid changes to the threat ecosystem. New research from the Abnormal Threat Intelligence team shows that ransomware delivery methods have evolved, payouts are growing in frequency and total cost, and there are more malicious actors participating in ransomware than ever before.

Published today, The Evolution of Ransomware: Victims, Threat Actors, and What to Expect in 2022 showcases new research into the victimology of ransomware, with deep insights into victims by industry, by size, and by location. We also include research on threat actors groups and their emergence over the past two years, with new groups surfacing to replace those being taken down.

Small Businesses at Largest Risk, Making Up 57% of All Victims

From the start of 2020 to the end of 2021, the Abnormal team identified 4,200 companies, organizations, and government institutions that have all fallen victim to a ransomware attack.

One of the biggest misconceptions about ransomware attacks is that they primarily impact large organizations that can afford to pay substantial ransoms. After all, most of the attacks reported in the media are generally those that victimized big, notable companies. Based on our data, however, the belief that these large enterprises are the preferred targets of ransomware actors is a myth.

Ransomware victims by annual revenue

The median estimated annual revenue for companies victimized by ransomware in 2020 and 2021 was just $27 million. Nearly a third of all victims had an annual revenue of less than $10 million and just under 60% of victims generated an annual revenue of less than $50 million, meaning a majority of ransomware targets can be classified as small businesses. Only 10% of ransomware victims were enterprise-sized companies with an annual revenue of more than $1 billion.

While this appears to run counter to the conventional wisdom that the largest entities with the choicest data and heftiest budgets are the most attractive ransomware targets, this distribution makes sense. And because smaller companies are generally unable to invest large amounts of money in cybersecurity, they’re more likely to have fewer defenses in place that may prevent ransomware attacks, making them better opportunistic targets.

More than Half of All Victims Located in the United States

Although companies in the United States have received half of the attacks since 2020, ransomware is a global problem. It’s most prevalent in countries with a high GDP, although it’s not as pervasive in Asian countries and is nonexistent in Russia. Because many top ransomware groups are based in Russia, they may purposefully avoid ruffling feathers by not targeting domestic companies.

Ransomware victims by country location

Like most cyber attacks, the United States is the home for a majority of ransomware victims, with just over half of ransomware victims since the beginning of 2020 located in one of the fifty states. Interestingly, the significant focus from United States authorities on ransomware in the first half of 2021 seems to have done little to deter ransomware actors from targeting American companies. The last quarter of 2021 saw the highest number of ransomware victims in the United States in the past two years—a 43% increase from the previous quarter.

Number of Active Ransomware Groups Grows by 600%

As the number of victims has increased over the last two years, the number of players in the ransomware space has also grown substantially. Similar to what we saw in 2016, when ransomware saw its initial global explosion, a growing number of minor threat groups have entered the scene—piggybacking on the success of the more established groups.

We tracked 62 different ransomware groups and their activities since January 2020. While some of these were merely rebranded variations of previous ransomware strains, such as Maze rebranding to Egregor or DarkSide renaming itself BlackMatter, most of these groups are unique threats that have emerged for a few months at a time in smaller volumes. The number of active ransomware groups each month has increased dramatically, growing from just three in February 2020 to a peak of 28 in November 2021.

Monthly active ransomware groups

Five groups—Conti, LockBit, Pysa, REvil, and Maze/Egregor—were responsible for more than half of all ransomware attacks over the past two years. Three of those groups are still active today and they make up nearly two-thirds of the present ransomware attack volume.

Ransomware number victims group

One of the biggest challenges to disrupting the ransomware landscape in the past few years has been the hydra-like nature of how it has grown. Whenever a primary group has exited the scene, one or more new big groups enter, along with even more smaller groups. So while we’ve actually seen a fair amount of turnover among the top ransomware groups, the total volume of attacks has remained consistently high. This is because existing groups are being replaced by new ones, leading to the overall number of active groups increasing by seven times since January 2020.

Moving Ransomware into 2022

As our research has shown, ransomware is an increasing threat that continues to grow across all industries, all company sizes, and all countries. Ransomware actors have proven that they are focused on one thing: making money in whatever way possible. These actors are targeting everyone, and due to a variety of factors, the payout amounts are increasing substantially.

With the largest payout ever costing CNA Financial $40 million in March 2021, it is clear that ransomware is a threat against which every organization should protect itself. Now is the time to secure your email and protect your end users from these malicious emails—before the next ransomware attack impacts you.

To learn more about this research, download the entire report titled The Evolution of Ransomware: Victims, Threat Actors, and What to Expect in 2022.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More