In Q3 2021, ransomware group REvil issued the largest publicly known ransom demand to date – $70 million – following a monumental attack on MSP software provider Kaseya in early July. As many as 1,500 businesses were impacted during the attack, including Swedish supermarket chain Coop, which was forced to close most of its 800 stores for three days as it scrambled to bring its cash registers back online. A few weeks after the attack, Kaseya obtained a master decryption key that enabled impacted organizations to recover their encrypted data without paying the ransom.
The incident drew significant attention from the media and the authorities. In an attempt, perhaps, to escape the spotlight, REvil ceased all operations less than two weeks after the attack, shutting down its dark web leak site and payment portal. However, the shutdown proved only to be a short-term hiatus, with the group resuming activity two months later in September 2021.
While REvil’s exodus from the ransomware game might have been temporary, other threat actors decided to call it quits for good in Q3. In August, Ragnarok, a ransomware gang best known for a spate of attacks on unpatched Citrix ADC servers in early 2020, abruptly shut down its operations and released a master decryption key.
Q3 also marked the arrival of BlackMatter, a new ransomware group that we believe to be a repaint of DarkSide. DarkSide was a ransomware gang that was forced into early retirement in Q2 2021 after an attack on Colonial Pipeline – a move that drew immense pressure from the U.S. government and ultimately resulted in DarkSide losing control of its critical infrastructure.
We saw the U.S. government become increasingly proactive in curtailing ransomware in other areas, too. In July, the U.S. Department of State’s Rewards for Justice began offering rewards of up to $10 million for information that can identify or locate state-sponsored threat actors participating in malicious cyber activities against U.S. critical infrastructure. In Q3 the U.S. government also launched StopRansomware.gov, a central hub that consolidates ransomware resources from all federal government agencies.
The following statistics are based on data from 181,051 submissions to Emsisoft and ID Ransomware, a service that enables victims to identify which ransomware strain has encrypted their files by uploading the ransom note, a sample encrypted file and/or the attacker’s contact information. It also directs the user to a decryption tool, should one be available.
Note: We estimate that only 25 percent of victims make a submission to Emsisoft or ID Ransomware, so the real number of incidents is probably significantly higher.
Most commonly reported ransomware strains of Q3 2021
The following chart shows the 10 most commonly reported strains of Q3, which collectively made up 91.30% of all submissions this quarter. A ransomware family known as STOP/Djvu was by far the most common strain, accounting for 76.40% of all submissions.
- STOP (Djvu): 76.40%
- Zeppelin: 6.00%
- Phobos: 2.50%
- Makop: 1.50%
- Magniber: 1.20%
- Dharma (.cezar family): 1.10%
- REvil / Sodinokibi: 0.80%
- LockBit: 0.80%
- eCh0raix / QNAPcrypt: 0.50%
- GlobeImposter 2.0: 0.50%
Most commonly reported ransomware strains of Q3 2021 (STOP excluded)
The following chart shows the 10 most commonly reported strains of Q3 with STOP submissions excluded.
- Zeppelin: 25.60%
- Phobos: 10.60%
- Makop: 6.50%
- Magniber: 4.90%
- Dharma (.cezar family): 4.80%
- REvil / Sodinokibi: 3.50%
- LockBit: 3.20%
- eCh0raix / QNAPcrypt: 2.30%
- GlobeImposter 2.0: 2.10%
- 0XXX: 2.00%
Most ransomware submissions by country
The following chart shows the 10 countries that accounted for the most ransomware submissions, with STOP submissions included. These 10 countries made up 61.30% of all global submissions this quarter.
- India: 21.10%
- Indonesia: 15.10%
- Pakistan: 4.60%
- Egypt: 4.60%
- Brazil: 3.60%
- South Korea: 3.40%12000
- United States: 3.30%
- United Kingdom: 2.30%
- Bangladesh: 1.80%
- Philippines: 1.50%
There was a significant rise in ransomware submissions this quarter, with submissions increasing from 137,537 in Q2 to 181,051 in Q3 – an increase of 31.64%.
STOP/Djvu was by far the most commonly submitted ransomware variant in Q3, accounting for 76.40% of all submissions, up from 71.2% in Q2. STOP is so prolific because it primarily targets home users, unlike other ransomware variants which tend to take a quality-over-quantity approach by targeting high-value businesses.
QLocker, a QNAP-targeting variant responsible for the fourth most submissions in Q2, was absent from the top 10 list in Q3 after shutting down its operations in May. QLocker was replaced by Zeppelin, a ransomware strain first observed in November 2019 that has seen a surge in activity in recent months. Zeppelin was the second most commonly reported ransomware strain in Q3, accounting for 6% of all submissions.
In Q3, we also observed a new addition to the ransomware landscape: 0XXX. First observed in June 2021, 0XXX targets NAS devices and accounted for 2% of submissions in Q3 with STOP submissions excluded.
Protect your device with Emsisoft Anti-Malware.Did your antivirus let you down? We won’t. Download your free trial of Emsisoft Anti-Malware and see for yourself. Start free trial
Geographically, Q3 proved once again that ransomware is truly a global phenomenon. India, which has made the most submissions every quarter since we began our quarterly reports, accounted for 21.1% of all global submissions in Q3, down slightly from 21.3% in Q2. Germany and Italy, which accounted for 2.5% and 1.9% of all submissions respectively in Q2, fell out of the top 10 list in Q3, replaced by Bangladesh (1.8%) and the United Kingdom (2.3%). This is the first time the United Kingdom has made an appearance in our quarterly reports.