Cofense - Security Awareness Training & Email Threat Detection

Ransomware in 2020: Not Just More, But Different

Share This Article

Cofense IntelligenceTM assesses that enterprise-targeted ransomware campaigns will most likely increase from 2020 into the next few years, based on attack and ransom payment trends over the last six months. In the latter half of 2019 through this year, ransomware campaigns escalated in targeting public organizations. These attacks were frequently debilitating to an impacted organization’s ability to operate and provide services and, in some cases, resulted in a data breach.

Interestingly, victims are opting to pay the ransom more often. The cost of data recovery, reputation salvaging, and business impact often outweigh the payment itself. Further, those victims with insurance are paying at their insurer’s recommendation, often with the insurance companies covering a good deal of the cost. With enterprise ransomware campaigns becoming more lucrative for the operators, Cofense Intelligence predicts a surge in the next few years.

In the most recent IC3 report, the “FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and /or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”

In the second half of 2019 and through 2021 ransomware campaigns targeted different types of organizations, including schools, governments, infrastructure, and hospitals. Most of the victims offer public services that were disrupted or severely damaged. The Flagstaff Arizona school district suffered a ransomware attack that reportedly closed the entire school district for two days before services were recovered. Johannesburg, South Africa, was attacked in October 2019 and held hostage for $30,000—the third ransomware attack the city government suffered last year. Ransomware attacks in December 2019 targeted the Oahu Cancer Center in Hawaii and disrupted patient care, including the ability to administer radiation treatment. The victims of these attacks are finding it preferable to pay the ransom than to deal with the aftermath of data and system loss. Unfortunately, this emboldens future attacks and creates more targets.

In 2021, Colonial Pipeline, a company that transports about 45% of all the fuel consumed on the East Coast and serves almost 50 million U.S. customers, was hit by a malware attack led by the ransomware group, Darkside. That attack was followed quickly by JBS Meatpacking company, then REvil ransomware threat actors exploited a zero-day vulnerability to issue ransomware payloads disguised as legitimate software updates from Kaseya. Other notable ransomware incidents include Buffalo Public Schools, Acer, CNA Financial, Quanta Computer, and Ireland’s Health Service Executive.

We are now seeing ransomware campaigns that include data breaches and exfiltration. A number of victims of Maze ransomware, a few companies and one Florida city, did not immediately pay up and learned the hard way that a data breach had also ensued. Maze operators exfiltrated data in the course of their attack and released stolen documents, further extorting their victims to pay up and threatening that failure to do so would mean the release of more sensitive information. These ransomware campaigns demanded up to six million dollars in exchange for the decrypted files and used the exfiltrated data as leverage to collect payment. The Maze ransomware operators allegedly exfiltrated around 120GB of data from Southwire during another ransomware attack.

Ryuk and Sodinokibi (ReVil) are two of the other widely recognized ransomware operators. In a report from Palo Alto Networks, the average ransom paid for organizations increased from US$115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase. Additionally, the highest ransom paid by an organization doubled from 2019 to 2020, from $5 million to $10 million. From 2015 to 2019, the highest ransomware demand was $15 million. In 2020, the highest ransomware demand grew to $30 million. In 2021, that number grew to $40 million.

Other more recent ransomware attacks of note are:

  • Kia Motors:  The incident became known when it was reported that the company was suffering a major IT outage across the U.S., which affected the internal sites used by dealers, mobile apps, and phone and payment systems.
  • University of MD and University of CA were both hit by the same attack group named CLOP
  • Whistler Resort (Canada) -The incident resulted in its temporarily suspending phone, network and website access, with walk-in services at the municipal hall also being suspended.
  • Pierre Fabre, a leading cosmetics group, was hit with $25 million ransomware attack

In May 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity. The United States federal government advises organizations not to pay a ransom, as it only encourages further attacks and there is no guarantee the captured resources will be returned in their original form. However, victims are increasingly paying the ransom, as was seen in the latter half of 2019. Then in July, the White House issued National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems whose primary objective is to “defend the United States’ critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.  The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.” Participation is voluntary.

Future Dangers of Ransomware

With their profits rising, ransomware operators will likely increase their campaign volume in the next few years at least. The success of ransomware campaigns may encourage the creation of additional ransomware families, requiring global organizations to evolve their cybersecurity posture.

We expect other trends to follow in line with our ransomware predictions. More cybersecurity firms might be utilized as a third-party negotiator for payments. Stolen data can be used in different ways—not just taken hostage—to leverage more money from the victims, especially if unsavory information is exfiltrated.

More and more enterprise organizations are expected to include cybersecurity insurance within their yearly budgets. In short, it appears more companies are making business decisions that demonstrate an understanding of the likelihood of ransomware attacks. While it is good to be prepared, feeding the beast of ransomware will fuel cybercriminals looking to make large profits.


Cofense is the only company that combines a global network of 30 million people reporting phish with advanced AI-based automation to stop phishing attacks fast. Our Phishing Detection and Response (PDR) security solutions combine technology and unique human insight to catch and stop phishing attacks — before they hurt your business.

Every day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads that bypassed email gateways. 100% of the threats found by the Cofense PDC were identified by the end user. 0% were stopped by technology.

Condition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.