Skip to content

Ransomware Trends in 2021 & Predictions for 2022

Ransomware is one of the most dangerous cybersecurity threats facing organisations globally. Attackers focus on any organization of any size, so every business should be aware of ransomware and its potential damage.  

2021 saw an all-time high in ransomware attacks. SMBs, schools, global supply chains, healthcare providers, government organisations, and MSPs were among those affected by ransomware attacks.

This guide will discuss some of the ransomware trends found in 2021, predictions for 2022, and how to protect your organisation from these crippling attacks.

Ransomware in 2021

2021 saw an all-time high of ransomware attacks. To date, 2021 was the most costly and dangerous year on record based on the sheer volume of ransomware attacks. In a SonicWall report, they reported 500 million attempts of ransomware attacks in 2021. According to the 2021 "Verizon Data Breach Investigations Report", approximately 37 percent of global organizations said they were the victim of some form of ransomware attack in 2021.

Largest Ransomware Attacks of 2021

In 2021, it’s estimated that 30,000 websites were hacked daily, and 64% of companies worldwide experienced at least one form of a cyberattack (Techjury)

Many large, popular enterprises were targeted in 2021 with ransomware being a primary payload, making major headlines when these organizations were unable to function or were forced to halt production until they recovered. Here’s a summary of the largest ransomware attacks in 2021.

Colonial Pipeline

Of all the cybercrimes and ransomware attacks in 2021, the Colonial Pipeline attack received the most news coverage. The reason for all the headlines was that this pipeline is a critical infrastructure system in the United States. The attack caused disruption to gas supplies all along the East Coast of the United States, causing chaos and panic among communities. Colonial Pipeline eventually gave in to the demands and paid the hackers, DarkSide, $4.4 million dollars in Bitcoin. Although many researchers discourage paying the ransom, businesses such as Colonial Pipeline are left helpless and forced to pay attackers to retrieve files.


A prominent IT management firm, Kaseya, fell victim to a ransomware attack and made major headlines. Since Kaseya manages critical IT infrastructures for global enterprises, the corporation’s downtime from the attack threatened to halt production for several major corporations, affecting global economies. The hacker group REvil claimed responsibility for the attack and demanded $70 million in Bitcoin for recovery of critical files. According to Kaseya, approximately 50 of their clients and 1000 businesses were impacted. To explain the severity of  the economic impact, one of Kaseya’s clients, experienced downtime that heavily affected revenue. Coop, a Swedish supermarket, was forced to close 800 stores across Sweden for seven days while Kaseya struggled to recover.


The hacker group DarkSide targeted Brenntag, a major chemical distribution company in May last year. Hackers stole 150GB of data and demanded a ransom equivalent to $7.5 million dollars in Bitcoin. Brenntag paid the $4.4 million ransomware fee, which is one of the largest ransomware pay-outs in history.


Computer manufacturer Acer was hit with two ransomware attacks in 2021. The ransomware group REvil targeted the organization and demanded a ransom of $50 million. The ransomware payment was the largest pay-out demand known to date.

The cybercriminals exploited a vulnerability in a Microsoft Exchange server to gain access to Acer’s files. As a result of the attack, REvil disclosed images of sensitive financial documents and spreadsheets to extort money from the computer organization.


European Insurance company, AXA, was hit with a ransomware attack by the hacker group, Avaddon. The hacking group gained access to 3TB of data shortly after AXA announced changes to their policy on reimbursing clients for ransomware payments. The ironic attack by Avaddon affected over 2,000 patient-facing IT systems and 80,000 devices.

JBS Foods

Another victim of the REvil hacking group in 2021 was JBS Foods, one of the largest meat processing companies in the world. JBS paid the hackers a staggering $11 million ransom fee. JBS Foods executives told the Wall Street Journal that paying the ransom was “painful” but necessary. Paying the ransom was the quickest way for the organization to recover IT systems and bring their meat supply chain back to operational.


Quanta is one of Apple’s largest business partners and last year fell victim to a ransomware attack by the REvil hacking group. Quanta refused to negotiate with the hacker group, so REvil targeted Apple instead. REvil disclosed Apple intellectual property and private product blueprints from Quanta and threatened to release further sensitive documents and data if the ransom was not paid. Quanta did not give into the ransom and eventually, REvil called off the attack.

Sign up for a FREE Demo of WebTitan DNS Filter to learn how it can prevent ransomware attacks.

Book Free Demo

Consequences of Ransomware Attacks

Data loss is a major cybersecurity issue because of ransomware attacks, and cybercriminals know this. By demanding money (usually in Bitcoin or other cryptocurrency), organisations pay the fee in order to gain access to decrypted files and restore data. However, this comes with enormous risk. Once paid, there is no guarantee that private keys and data will be provided. Could the organization face legal action? Will data be returned after the ransom is paid? How will this affect customers? These are just a few of the questions victims of ransomware attacks need to consider.  

Ransomware is irreversible, so organizations are left unable to be operational and stay production. For large organizations, downtime can cost millions everyday systems are down. However, cybersecurity experts suggest that no organization should pay the ransom. They suggest that it further encourages attackers to continue making variants and exploiting vulnerabilities. Unfortunately, many organizations have no choice but to pay the ransom and hope for their sensitive files in return.

One of the largest ransomware payments in 2021 was paid by a major insurance company, CNA Financial. The organization paid $40 million to unlock their data and restore the network systems.

2021 saw the average ransom fee rise from $5,000 in 2018 to $312,000 in 2020, and then to $570,000 in 2021. (Palo Alto Networks)

However, ransom fees are far from the only costs to victims.

Sophos reported that the average total recovery costs from a ransomware attack in 2021 was $1.85 million.

The cost of recovery can vary from business to business, but the main factors in costs include:

  • Downtime
  • People hours
  • Implementing a stronger cybersecurity solution
  • Repeat attacks
  • Higher insurance premiums
  • Legal defence and settlements
  • Loss of reputation
  • Loss of business
  • Brand damage
  • Loss of customer

Ransomware attacks can cause major disruptions to an organisation, hence a good and effective security strategy is essential. A DNS Filter combined with an Email Security Solution as a multi-layered approach will help organisations in all industries to prevent ransomware attacks.

Sign up for a FREE Demo of SpamTitan to see how an email security solution can protect your business from phishing and ransomware.

Book Free Demo

Ransomware Predictions in 2022

Numerous ransomware attacks made headlines all over the world in 2021. Hacking groups REvil and DarkSide caused destruction to critical infrastructures, such as the Colonial Pipeline attack that interrupted oil and gas economies. Ransomware is a booming business for malware authors, and we expect to see more attacks in 2022. It’s a multibillion dollar industry, so it’s not surprising that attackers will continue to aggressively deliver ransomware payloads and extort money from its victims.

Many ransomware gangs operate similarly to normal businesses with teams in marketing, software development, support and media.  They are relentless, which is why we expect to see even more ransomware attacks, causing more damage and bigger financial losses.

Rise in Ransomware as a Service

Upguard defines Ransomware-as-a-service (RaaS) as a “subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment. RaaS is an adoption of the Software-as-a-Service (SaaS) business model.”

Ransomware kits (RaaS kits) are sold on the dark web as a service, just like you’d find a typical SaaS model on sale from a legal provider. RaaS kits provide criminals with the resources to launch a ransomware attack without the need for development knowledge or technical skills. These RaaS kits are cheap, subscription-based, and they come with access to forums, support, and future purchase discounts. Because of their support and distribution model, RaaS kits are very accessible and easy to use for cybercriminals.

As more RaaS kits are deployed, the specific malware author is often difficult to identify. Because clients are not the ones deploying the ransomware, the RaaS model is also difficult to stop and detect. Most RaaS attacks are deployed from a centralized server behind the Tor network, and malware authors lease command-and-control features to customers who can launch an attack with the click of a button.

Security experts predict that 2022 will most certainly bring an influx of RaaS.

The Rise of Remote Access Markets

In the coming months of 2022, we predict that another form of ransomware methodology will expand.


Remote access markets are automated stores that allow threat actors to sell and exchange access credentials to compromised websites and services (Source: Kela 2020)

Remote access markets are used by cybercriminals to access sensitive data within an organisation and threaten them with ransom demands using RaaS operators. RaaS and remote access markets expand the business of ransomware and could be a growing threat to watch in the coming year.

In 2020, we may see the rise in threat actors buying access to organisations and deploying malware into their infrastructure. Because the attacker has access to the organization, numerous attacks in addition to ransomware could be deployed. For example, it’s not uncommon for attackers to install backdoors and other malware on the network to ensure persistent access to operational infrastructure.

Quadruple-Whammy Attacks

This year, we expect ransomware attacks to be even more brazen than in 2021. The Lapsus$ Group gave us this indication from an attack that took place in early 2021.  Attacks deployed by this hacking group result in:

  1. Encryption
  2. Data theft
  3. Customer phishing
  4. Social media takeover

This multi-level attack is expected to become very common in ransomware attacks this year.

Fight against Ransomware

We expect that 2022 will see governments around the world come together to fight ransomware hacker groups. Governments will join forces to protect critical infrastructure and supply chains. This prediction stems from a global meeting held by the US government meant to collaborate with country leaders in an effort to tackle the rising ransomware problem.

Following the global ransomware summit, law enforcement agencies worldwide amplified their proactive activities against ransomware gangs. Europol and Interpol recently conducted investigations to stop ransomware groups from continuing their operations. One target for Europol and Interpol is REvil, which led many of the biggest ransomware attacks in 2021.

As a result of governments coming together to fight ransomware worldwide, this will have a significant impact on the ransomware landscape in 2022.

Malware Strains to Watch in 2022

Macaw Locker

This is the latest ransomware strain released in October by the hacker group, REvil Corp. This variant creates a ransomware note in every directory that contains a summary of what the attack has done to the victim’s system and directions on how to recover from it.  The targeted victim is assigned a campaign ID as well as an assigned negotiation page on the Macaw Locker’s Tor site that includes a chat box to communicate with the attackers.  The victim is given a tool to decrypt three files for free to illustrate the concept. Macaw Locker attacks are identified with the “.macaw” extension to the file name.

Victims of Macaw Locker ransomware attacks include a leading medical technology company that was forced to take down its IT systems across North and Central America. Another victim was a TV broadcasting station that lost access to its Microsoft Active Directory infrastructure, which brought down many of its server operations and user account access policies. 

The Macaw Locker attackers requested ransomware fees as high as $40 million, but it’s not known if the ransoms were paid.

Babuk Ransomware

Cisco Talos first discovered Babuk ransomware in November of last year. The original strain targeted companies using Microsoft Exchange Server vulnerabilities. However, we predict Babuk ransomware authors will deploy attacks with various strategic methods to stay effective. The latest variant targeted multiple Windows platforms across server and desktop operating systems. Not only does Babuk encrypt files, but it also disrupts the system backup process and deletes Windows system files. It uses a PowerShell command to download the payload which then launches the malicious code across the network on all vulnerable storage locations.


Jigsaw ransomware has been around for several years, but it’s a particularly nasty ransomware variant that is predicted to continue in 2022.

When Jigsaw ransomware gains access to an organisation’s network, the organisation has a shortened amount of time to pay the ransom before it delivers its final payload deleting targeted victim files. The malware is delivered via a phishing attack and via Adware on malicious sites.

One ability Jigsaw lacks that most ransomware uses is the ability to traverse a network and deliver payloads to additional machines. Jigsaw only affects the machine that downloads the malware, so it’s better suited for individuals or a specific high-level target. It’s also possible to halt the file deletion process by stopping the process in the Windows Task Manager.


Another ransomware-as-a-service tool to be mindful of this year is AvosLocker. Malware authors for this ransomware selectively seek affiliates that can prove access to a possible target. AvosLocker adds the “.avos” file extension to all encrypted files, making it easy to spot on a system after it has delivered its payload.

A recent victim of AvosLocker ransomware was the city government of Geneva, Ohio. AvosLocker attackers used double extortion to convince the city to pay the ransom. Double extortion is growing in popularity. Attackers threaten to disclose sensitive data to the public if the targeted victim does not pay the ransom. For the City of Geneva, attackers threatened to disclose tax returns, court records and social security numbers.

We expect to see more double extortion attacks in 2022.

Sign up for a FREE Trial of TitanHQ's multi-layered security solutions to prevent ransomware attacks.

Book Free Trial

Building a Ransomware Defence Strategy

Ransomware attacks are increasing, and attack methodologies are constantly changing and adapting. As more cybersecurity infrastructure is developed and deployed to stop ransomware, malware authors change their code to bypass defences. If your organisation is hit with a ransomware attack, it could have a detrimental effect, making it vital for organizations to implement a ransomware defence strategy before an attack strikes.

Here are key critical elements that you should include in your ransomware defence strategy to mitigate risks:

  1. Embrace a zero-trust model – organisations must introduce a zero trust model. This means that user accounts should never be trusted and always verified whenever data access is requested.
  2. Employee training and security tests – Employee cyber security training is extremely important to avoid many human errors and negligence behind a successful ransomware attack. Employees are the attack gateway to an organisation, and they must know how to spot a phishing email and a spoofing or impersonation email. Once training is complete, organisations should test employee security awareness training with fake phishing emails to identify those who could use improvement and additional education. This can be done by using effective security awareness training software.
  3. Patch frequently- by maintaining a consistent patch management policy, this will reduce the risk of zero-day vulnerabilities and ransomware attacks. It also reduces risk of an exploit from known security vulnerabilities in outdated software.
  4. Password management – organisations should change default passwords always and ensure all passwords are complex with a mix of upper and lowercase letters, special characters, and numbers. The use of a password generator can be helpful to create a password that cannot be brute forced in dictionary attacks or password sprays. A password manager tool is also recommended to store all passwords.
  5. Use MFA – although MFA will not entirely stop a ransomware attack, it is an important method in stopping account compromises used to deploy malicious payloads using legitimate accounts with hacked credentials.
  6. Implement security solutions to block all malware and phishing – the use of cybersecurity solutions to prevent ransomware attacks is crucial. There is a whole variety of technologies available, but all organisations must have: (1) A DNS filtering solution to block malware and email links to malicious websites and (2) Email security to prevent phishing emails, spoofing, scanning of malicious attachments and links within an email message.

How you Can Prevent Ransomware Attacks on Your Business

TitanHQ has over 20 years of experience in fighting ransomware attacks. Trusted by over 2,500 Managed Service Providers (MSPs), 8,500 organisations and large popular brands including: Virgin Media, Datto, Microsoft, and more, TitanHQ has a range of multi-award-winning solutions to prevent ransomware attacks.

WebTitan DNS Filter is an advanced web filter providing both protection from HTTP and HTTPS security threats as well as advanced DNS filtering control to businesses, MSPs, government and schools. It blocks malware, phishing, viruses, ransomware and proactively blocks malicious sites from user access.

SpamTitan Email Security blocks phishing, malware, spam, viruses and other malicious email threats. SpamTitan provides advanced yet easy to use email protection for your business.

Sign up for a FREE Trial of TitanHQ's multi-layered security solutions to prevent ransomware attacks.

Book Free Trial
Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us