Ransomware demands up by 43% so far in 2021, Coveware says

This could spell trouble for victims trying to avoid paying out ransoms.
(Getty Images)

Ransomware hacking groups are getting greedier.

The average demand for a digital extortion payment shot up in the first quarter of this year to $220,298, up 43% from the previous quarter, according to a quarterly report from Coveware, a ransomware response firm. The median payment, too, jumped up 58% from from $49,450 to $78,398.

The majority of ransomware attacks in the first quarter also involved theft of corporate data, a continuation of a trend of ransomware actors increasingly relying on exfiltration and extortion demands. Seventy-seven percent of ransomware attacks included the threat to publish stolen data in the first quarter of this year, which is up 10% compared to the last quarter of 2020, Coveware found.

The report comes as the U.S. government is working to improve law enforcement actions targeting the infrastructure that supports ransomware gangs. In recognition that extortion demands are an increasingly popular approach, the U.S. Department of Justice just stood up a taskforce meant to tamp down on ransomware attacks in the hopes of reducing costs to U.S. victims.


Coveware found that, so far this year, fewer victims were paying out ransom demands. But with extortion attempts on the rise, victims may feel tempted to pay up, even if they are better off avoiding the exchange of currency entirely, Coveware advises.

“Over hundreds of cases, we have yet to encounter an example where paying a cyber criminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage,” the company wrote in its report. “On the contrary, paying creates a false sense of security, unintended consequences and future liabilities.”

In what is likely to be welcome news for law enforcement officials, some ransomware groups appeared to encounter problems in their attack campaigns and running “criminal enterprise at scale” in the first quarter, according to Coveware.

The Conti group, for instance, was attacking victims it had already targeted, a move which runs counter to an organization interested in getting victims to cough up ransom demands, researchers found. Sodinokibi, which was the most common strain found in ransomware attacks last quarter, encountered technical problems in their attacks, while law enforcement entities’ takedown of Netwalker infrastructure apparently ground those operations to a halt.

A whole slew of hurdles in tackling ransomware gangs remains, however.


Average downtime following a ransomware attack grew 10% in the last quarter to 23 days, according to the report. And although hackers were relying on spearphishing as a way to launch their ransomware attacks through much of 2020, gangs are increasingly switching to exploiting vulnerabilities in Remote Desktop protocol services and software vulnerabilities, to breach victim networks, Coveware found.

Part of the challenge law enforcement officials face is keeping up with an evolving threat landscape and array of actors who utilize different techniques.

One ransomware group, known as Clop, has been particularly active in the most recent quarter, Coveware found, for instance. But although Clop ransomware infections were the fourth most common last quarter, in the previous quarter attacks with Clop didn’t rank among even the top ten.

Ransomware gangs in general switched up their target set last quarter as well, and have increasingly been going after victims in the professional services industry, namely law firms, per the report.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts