More Ransomware Attempts Recorded in First Half of 2021 Than in all of 2020

Ransomware attacks increased significantly in 2020. The cyber-intelligence firm Group-IB estimated attacks had increased by more than 150% in 2020. Now, a new report from SonicWall shows that attacks have not just continued to increase in the first half of 2021, they have skyrocketed.

SonicWall had previously reported a total of 304.6 million ransomware attacks in 2020; however, alarmingly, that total has already been reached in the first 6 months of 2021 alone, with attacks already having increased 151% from the corresponding period last year, according to the 2021 SonicWall Cyber Threat Report. There have been 304.7 million attempted ransomware attacks so far in 2021, with record numbers of attacks occurring in April and May, with the record being broken once again in June when there were an astonishing 78.4 million attempted ransomware attacks.

The data for the Cyber Threat Report come from SonicWall’s SonicWall Capture Threat Network, which collects data from devices around the world, including 1.1 million sensors in 215 countries and territories.

The United States is often targeted by ransomware gangs, so it is no surprise to see the country at the top of the list with the most ransomware attacks and the highest percentage increase – 185%. There have been over 227 million attempted ransomware attacks in the United States in the first 6 months of 2021 alone. The United Kingdom is the second most targeted country with 14.6 million attempted attacks, followed by Germany (11 million), South Africa (10.5 million), and Brazil (9.1 million).

Within the United States, entities in Florida were the worst affected with 111.1 million ransomware attempts, followed by New York with 26.4 million, Idaho with 20.5 million, and Louisiana with 8.8 million. Ransomware is also being used much more widely, with attacks sharply increasing in Europe where there was a 234% increase in the first half of the year, with a 180% increase in North America and a 59% increase in Asia, although attacks in Asia have been dropping since March.

Ransomware attacks have been steadily increasing each quarter since Q1, 2020; however, the rate of increase is getting worse. Between Q4, 2020 and Q1, 2020, there was a 10.39% increase in attempted attacks. Between Q1, 2021 and Q2, 2021, the number of attempted attacks increased by 63.14%. Q2, 2021 was the worst ever quarter for ransomware attacks since SonicWall has been tracking attacks, with 188.9 million attempted attacks globally in the quarter.

There are several possible reasons for the increase, but ultimately attacks are increasing because they are profitable. Companies are paying ransoms and as long as the money flows and the risk of getting caught remains low, there is little reason for threat actors to stop. The rise in ransomware-as-a-service operations has helped, as they allow threat actors to conduct attacks without having to develop their own ransomware variants.

The reason why so many companies are paying can partially be explained by cyber insurance providers paying ransoms. It is the cheaper option, in many cases, to pay for the keys to shorten downtime, which is one of the biggest costs of an attack.  SonicWall says ransomware actors are also getting better at finding and encrypting backups, but even if backups are not encrypted, many victims choose to pay because most attacks now involve data theft prior to file encryption. Ransom demands are issued to prevent the stolen data from being sold or released online and that is now one of the biggest motivations behind the payment of a ransom.

There are problems with paying ransoms, however. The attackers may not supply valid keys to decrypt data, there is no guarantee that stolen data will be deleted and paying the ransom marks victims as easy and profitable targets who may be attacked again – either by the same group or others who know payment is likely.

Government targets had three times the number of attacks than in 2020 and 10 times the average in June. Government customers were the most attacked although the education sector has also been heavily targeted, with education customers having a higher number of attempted attacks than government customers for 3 of the 6 months between January and June.

The biggest threats in the first half of 2021 were Ryuk, Cerber and SamSam, which together accounted for 64% of ransomware attempts. While the DarkSide RaaS operation went quiet following the attack on Colonial Pipeline, there are indications that the gang has rebranded and returned as BlackMatter. After the attack on Kaseya, REvil went quiet and does not appear to have returned, which is at least some good news.

Ransomware attacks have been soaring, but malware is on the decline and has been since a high point in 2018 when there were 10.5 billion attempted attacks. Since then, SonicWall reports that there have not been two consecutive months when malware attacks have increased. In 2020, there were 5.6 billion malware attempts and so far in 2021 there have been just 2.5 billion.

While the reduction in malware attacks appears to be good news, SonicWall warned that it may not be as good as it seems. What has reduced is the pray and spray attacks where the maximum number of infections are sought. Now attacks are much more targeted, with threat groups concentrating on the most lucrative targets and conducting more sophisticated attacks that make them much more money. Malware reduction has not been accompanied by a fall in cybercrime.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of