Ransomware Trends 

The surge in attackers spreading their threats beyond data encryption was a key ransomware development in 2021. Several ransomware gangs have shifted their tactics to steal and  exfiltrate data before encrypting it and requesting payment to prevent the data from being leaked publicly. While this technique isn’t new (it dates back to at least 2019), the number of organizations who embraced it in 2021 was significant—to the point that it became the standard.

Before encrypting data or taking other actions, ransomware groups frequently rely on many affiliates to get access to an environment. These affiliates typically utilize crimeware like Bazar and Qbot to acquire initial access to a system before handing over control to ransomware gangs.

Defenders must also deal with the emergence of new organizations and the disappearance of others (often to be reincarnated in a different form as another group). Egregor, Sodinokibi/REvil, BlackMatter, and Doppelpaymer were among the ransomware families we said our goodbyes to in 2021. BlackByte, Grief, Hive, Yanluowang, Vice Society, and CryptoLocker/Phoenix Locker are new ransomware families. Many new ransomware families resembled previously “disappeared” families, prompting researchers to believe that existing enemies merely returned under a new moniker.