An increase in ransomware attacks is not news to us anymore. However, that number has risen dramatically in 2020, a trend that businesses and individuals alike must NOT ignore.

Back in 2019, a McAfee report confirmed that across all sectors, ransomware incidents increased by 118% during the first quarter of 2019. That number spiked significantly in 2020, where a Mid-Year Threat Landscape Report 2020 from Bitdefender shows a 715% year over year increase in detected and blocked ransomware attacks in 2020.

We believe ransomware attacks will only increase as schools go to distance learning and working-from-home becomes the norm. The results in Quorum’s 2020 disaster recovery survey, conducted in Q1 2020, show that external computer threats such as ransomware were the #4 most common circumstance where an IT Disaster Recovery Plan was executed. In 2021, we believe that it will take the #3 spot, overtaking user/employee errors.

Circumstances Where IT DR Plan was Executed

Circumstances Where IT Disaster Recovery Plan was Executed. Source: How Businesses Approach IT Recovery in 2020 by Quorum.

In 2021, we will not just be dealing with a growth in ransomware attacks, but also increased ransomware variants, extortion methods, and sophistication. Here, we listed the top 5 trends in ransomware to watch out for in 2021.


According to Sophos, 2021 will be the year of commodity ransomware. Ransomware groups are now offering small-time cybercriminals ransomware-as-a-service (RaaS), where these small-timers pay for a ransomware tool like Dharma or Emotet to carry out ransomware attacks themselves.

In other words, offering ransomware has become a business model similar to a software company. ANYONE can easily start using these tools to carry out ransomware attacks – as long as he has a laptop computer. What’s more, they’re even broadening their reach by offering affiliate selling models. It’s also been reported that access to compromised system by these small-time attacks can be sold to the big-time ransomware groups that uses Ryuk or other variants.


The average ransom demand increased 100% from 2019 through Q1 of 2020. Due to the success of overall ransomware attacks this year, more companies have negotiated and paid ransoms to get their data back. This is especially true for industries who are in desperate need of their data, such as healthcare, where operational disruptions can lead to life and death situations.

Some notable attacks have resulted in ransom amounts greater than $10 million, such as the $14 million ransom demand from Brazilian utility Light SA and the $15 million demand that Telecom Argentina had to contend with.


The common ransomware attack used to be focused on encrypting the victim’s data, then demanding a ransom to decrypt. Now, there is a good chance that the victim’s data is being exfiltrated and stolen as well, just like what happened in the Solarwinds hack.

Stealing data is another method used to extort victims into paying the ransom. They would use the stolen data as leverage by threatening to leak those data if the victim doesn’t pay. Organizations in the legal, healthcare, and financial sectors are among the most targeted by these campaigns, assuming they hold the most sensitive data. This release of sensitive data can be especially detrimental to a company’s image and brand. This may be another reason why we’re seeing an increased success rate and higher ransom demand from these attacks. This is likely to become a long-term extortion mechanism.


As our reliance on our mobile device grows, so will ransomware attacks on these devices evolve and grow. In 2020, a screen overlay attack on Android devices emerged as a new type of threat. According to Microsoft, this malware doesn’t actually block access to files by encrypting them, but instead blocks access to devices by displaying a screen that appears over every other window, rending the device useless. On the screen is the ransom note.

There’s also another strain of Android ransomware called Filercoder.C, where it lured users to install an app to gain access to pornographic content. When the victim downloads and installs the app, the ransomware encrypts system files and sends an SMS text to the victim’s contact list, encouraging them to use download and install that app.


As mentioned in #1, Ransomware-as-a-Service are mirroring their business model after software companies. It seems they are also following software companies when it comes to raising capital to grow their business.

“Cybercriminals have discussed, in open forums, proposals to create a venture capital organization or stock market of sorts, where interested parties can finance the development of malware, tools, and frameworks without ever writing a line of code,” reads a report by Booz Allen Hamilton.

If these criminals do get their funding, we can expect to see a substantial growth in ransomware attacks.


Ransomware protection can get extremely costly and complex, especially if you invest in perimeter defenses, intrusion detectiondatabase activity monitoring, and everything mentioned in this ransomware prevention best practices guide. But for companies without those types of resources, a solid data backup and recovery solution can do the job.

But the problem is, most data backup and recovery solutions are at risk of being infected with ransomware. The attack wouldn’t just encrypt all files in the corporate network, but also all the files in the backup repository. Other solutions have a different type of problem – when they restore their files from the backup, the ransomware is still there because it has already infected the backup files.

Quorum’s data backup and recovery system (onQ) is free from all those problems. Other than sharing a “wire”, Quorum onQ is completely separate from your infrastructure. It does not use your production storage, DNS, or Active Directory. This architecture is just one of the reasons why so many Quorum customers have all successfully recovered from ransomware attacks with a click.

To learn how Quorum can help you defend against ransomware, download this datasheet or schedule a demo now.

As we have learned with Met Opera’s ransomware attack, when developing a plan you need to include all potential actors. With Met Opera, the security team has stepped in and is driving all steps post-attack. We are not sure this was expected or part of the actual plan. If this is how the organization wants to run things, that’s fine, but it should be known in advance and be part of the test scenarios.


Before the actual planning takes place, you need to assess your organization’s needs, resources, and goals. That is what disaster recovery PRE-planning is all about. This includes business continuity planning (as mentioned earlier), defining people’s roles and responsivities, and much more. Further, once the disaster recovery process is initiated, there’s a list of management tasks that requires completion, including starting a Call Tree, deciding on command center, and more. We have compiled a list of pre-planning checklist and a list of management tasks in this recorded webinar here for those of you who are serious about mitigating risks and being prepared.

Join our newsletter.

Stay up to date with industry trends and best practices.

Request a Demo

See how easy it is to recover your data from the unexpected.