Retrospect Blog

Top 4 Ransomware Attacks to Be Aware of Going Into 2021

From malware distributing Facebook Ads and COVID-19 themed phishing emails, ransomware groups are the first to adapt their messaging to take advantage of uncertainty. And the ongoing pandemic, along with the massive changes to our everyday lives caused by it, have given these groups an ample amount of resources to exploit.

This year alone, 80 percent of ransomware attacks with massive data dumps have originated from four ransomware families – Maze, REvil/ Sodinokibi, Ryuk/ Conti, and Netwalker according to Digital Shadows cybersecurity researchers. It is believed by 2021 ransomware will continue to grow with an attack happening every 11 seconds and rise to a cumulative cost of $20 billion based on projections by Cybersecurity Ventures report.

Learn what makes these four ransomware families so dangerous to better adapt your data protection plan in 2021.

REvil / Sodinokibi (Successor of GandCrab)

How they infiltrate organizations:

Use RaaS (ransomware as a service) to split profits with individuals who identify vulnerabilities and infiltrate the system. Each affiliate gets a 70% cut of what they bring in themselves while the coders of REvil get 30% of all gains.

REvil originally infiltrated systems using Oracle WebLogic vulnerabilities. Since then the threat actors have expanded delivery to exploit kits, malicious spam campaigns, brute forcing RDP servers, and taking advantage of backdoor software installers.

What they do if ransomware isn’t paid:

The group has auctioned off private data to cyber-criminals using an e-bay like website and maintains a leak page on the dark web to publish stolen information if organizations refuse to pay the ransom.

What makes them in the top 4:

REvil publicly recruits affiliates and hackers with the lure of one million dollars and has a proven track record of causing mass devastation using the RaaS model.

This particular ransomware is believed to have evolved from GandCrab, which is estimated by BitDefender to be responsible for 40% of all ransomware infections globally. This indicates just how devastating this ransomware family could become if this latest version is as effective as its predecessor.

Maze (previously called ChaCha Ransomware)

How they infiltrate organizations:

Main distribution tactics for Maze are malspam campaigns using Word or Excel attachments and brute force RDP attacks. The initial distribution method used exploit kits, like Fallout EK and Spelevo EK, to spread the ransomware through websites.

Other known infiltration tactics exploit Pulse VPN and a vulnerability in Windows VBScript Engine Remote Code Execution to gain network access.

What they do if ransomware isn’t paid:

On their website, the group states if the ransom is not paid the following actions will take place:

  • Inform the media and offer details about your security breach

  • Sell the stolen data on the black market

  • Inform stock exchange, your clients, and partners about the stolen data

If victims do not pay the ransom, the group has also stated the organizations partners and clients will be targeted.

What makes them in the top 4:

Maze Introduced public data leaks in order to extort victims for ransom. This methodology was quickly adopted by other ransomware groups and has started to become the norm. Many prevalent groups now have their own data leak website to publish victim’s information after refusing to pay out.

Conti (Successor of Ryuk)

How they infiltrate organizations:

This ransomware is designed to be controlled by an adversary using command line options rather than automatic deployment. It targets network-based organizations and at this time no specific infection vector is known.

What they do if ransomware isn’t paid:

Since June of 2019, an official data leak site was launched. They use the site to publicly share the private data in the event the ransom goes unpaid.

What makes them in the top 4:

This ransomware accelerates data encryption and can linger in your systems for weeks without notice. Conti takes advantage of Windows Restart Manager to disable security, backup, database, and email solution services to prep for encryption. This family of ransomware can encrypt hard drives, network shares, and even specific IP addresses.

NetWalker / Mailto

How they infiltrate organizations:

Uses RaaS (ransomware as a service) to split profits with individuals who identify vulnerabilities and infiltrate the system. Each affiliate gets a cut up to 84% in earnings and the remaining profits go to the NetWalker group. Affiliates are prohibited from deploying the ransomware against organizations located in Russia and the Commonwealth of Independent States.

Originally the ransomware was distributed through phishing emails with a focus on mass infection. Once clicked, a virus attacking VBScripts was deployed and could spread to any machine connected to the same Windows network.

Since then the groups focus has shifted from mass distribution to target large private organizations. They have successfully done this using unpatched VPN appliances, exposed spots in web applications, and manipulating weak RDP passwords.

What they do if ransomware isn’t paid:

Same as the other ransomware families, Netwalker leaks the private data of organizations that don’t pay.

What makes them in the top 4:

The group took advantage of COVID-19 to distribute phishing emails to launch their ransomware on a mass scale. According to McAfee, NetWalker raked in an estimated $29 million in profits between March to July of 2020.


Ransomware groups are a threat to your organizations data security. But there are ways to mitigate an attack and recover if your data does get taken hostage. A key factor to successfully recovering is through data backups. By maintaining a proper backup schedule with multiple copies across different media types with one copy offsite, you give yourself a guaranteed way to completely restore your system. Without a proper backup strategy, you leave your data to chance and there are no guarantees threat actors will give your data back.

For more data protection facts, read our free guide on the five essential steps your business needs to take to protect against a ransomware attack. Get your free copy here.


Jana Kurita

Jana Kurita is Marketing Communication Coordinator at Retrospect and Drobo.