I’m sure I’m not the only one who expected the world to magically get back to normal — whatever that is — when the ball dropped on 2021. After seeing a rise in threats last year, no more ransomware, or at least fewer attacks, was on my very long wish list for a wonderful new year.

But the past few months brought me back to reality, as experts at Barron’s predict the likelihood of a rise in attacks this year. We’ve already seen new threats emerging and current trends getting worse. Here are three ransomware trends to expect to hear more about in 2021.

Attacks as a Commodity

On the surface, it’s easy to assume ransomware using botnets and loaders bought off the dark web are less sophisticated than hand-built attacks. However, many cyber criminals are turning to these tools to look for vulnerabilities in a system or network. By scouting ahead, threat actors can launch larger and more damaging attacks. Often, these start as low-level or sleep attacks that lead to large-scale damage.

Threat actors are also turning to community ransomware, such as the newly discovered Egregor family, to launch double-extortion ransom attacks. In addition to asking for money from the company for releasing the data, this type directly targets the people whose data was stolen. The data is often harmful to a person’s or business’ name to the point that they may be willing to pay for the release of their data.

So, how do we stop ransomware like this? Because the initial tools used are not overly sophisticated, the IBM X-Force Definitive Guide to Ransomware recommends focusing on basics to prevent this kind of attack. Use common sense tactics, such as securing endpoints, using multifactor authentication and making sure employees update operating systems on all devices often. Backing systems up and then storing backups apart from primary networks is also key.


While not a new threat or method, experts expect ransomware-as-a-service (RaaS) to become more widely used in 2021. Honest businesses also commonly use the as-a-service model across software and infrastructure. This type of ransomware allows cybercriminals to purchase a subscription and then use the malicious code to launch attacks.

Because this allows threat actors without technical backgrounds to launch attacks, RaaS greatly expands the possible numbers of attacks. Before this, ransomware attacks were expensive to launch because a skilled developer would have to create a unique variant of an infection. With RaaS, cyber criminals launching attacks only pay for the services they use. They often pay a percentage of the ransom collected to the RaaS vendor. By creating a business model selling ransomware, developers are more protected from detection because they are not the ones launching the attacks.

RaaS attacks often begin as phishing attacks. The IBM X-Force Definitive Guide to Ransomware suggests performing surprise mock phishing exercises to collect metrics on who clicks on suspicious links or attachments. Also, consider removing executable attachments sent through email to block potential threats.

Attacks Against Schools

The switch to remote learning in 2020 opened schools up to digital attacks. During August and September 2020, 60% of all ransomware attacks were against K-12 schools, the FBI says. That’s a 30% increase over the previous two months. In late November 2020, Baltimore schools closed remote and in-person learning for a week due to a large-scale ransomware attack. Huntsville, Alabama, schools endured a similar closing, with staff and students instructed not to log in during the closure. As a response, the Cybersecurity and Infrastructure Security Agency recently launched a new ransomware awareness initiative focused on K-12 schools through education and resources.

A lack of training around this issue for teachers, the majority of educators using their own devices and a lack of budgets for defensive tools all contribute. With remote learning, attackers now have many more endpoints to access. In addition, more users are remotely logging in to a system. With some children attending school remotely at learning and daycare centers, many students may be using unsecured and public wireless networks.

The IBM X-Force Definitive Guide to Ransomware recommends creating an incident response plan to allow schools to act quickly during a ransomware attack. Because end users are often the first to encounter a ransomware attack, the guide also says that role-based training can be critical to preventing attacks.

How to Avoid Ransomware

In addition to the specific tips above, there are some general guidelines for ransomware prevention for your home, school or business. The IBM X-Force Definitive Guide to Ransomware explains that it’s particularly malicious because no administrative privileges are needed to launch an attack. The guide also stresses that all ransomware attacks are not equal. Ransomware that is not mitigated with decryption keys or resolved through reverse engineering carries a much higher risk of damage than other types of attacks.

Like everyone else, I’m hoping the remainder of 2021 brings lots of good news. And even with the increased attacks, there is at least some good news. By being prepared, you can reduce the risk of being a victim. Even more importantly, you can reduce the damage if you are a victim. The IBM X-Force Definitive Guide to Ransomware provides detailed steps about how to develop a comprehensive incident response plan. Within this, it provides detailed directions for different scenarios and types of attacks.

You are taking the first step toward protecting your data and infrastructure by reading this article. And now it’s time to take the rest of the steps — proactive actions toward protecting your data and infrastructure.

Download the guide

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today