I’m sure I’m not the only one who expected the world to magically get back to normal — whatever that is — when the ball dropped on 2021. After seeing a rise in threats last year, no more ransomware, or at least fewer attacks, was on my very long wish list for a wonderful new year.

But the past few months brought me back to reality, as experts at Barron’s predict the likelihood of a rise in attacks this year. We’ve already seen new threats emerging and current trends getting worse. Here are three ransomware trends to expect to hear more about in 2021.

Attacks as a Commodity

On the surface, it’s easy to assume ransomware using botnets and loaders bought off the dark web are less sophisticated than hand-built attacks. However, many cyber criminals are turning to these tools to look for vulnerabilities in a system or network. By scouting ahead, threat actors can launch larger and more damaging attacks. Often, these start as low-level or sleep attacks that lead to large-scale damage.

Threat actors are also turning to community ransomware, such as the newly discovered Egregor family, to launch double-extortion ransom attacks. In addition to asking for money from the company for releasing the data, this type directly targets the people whose data was stolen. The data is often harmful to a person’s or business’ name to the point that they may be willing to pay for the release of their data.

So, how do we stop ransomware like this? Because the initial tools used are not overly sophisticated, the IBM X-Force Definitive Guide to Ransomware recommends focusing on basics to prevent this kind of attack. Use common sense tactics, such as securing endpoints, using multifactor authentication and making sure employees update operating systems on all devices often. Backing systems up and then storing backups apart from primary networks is also key.


While not a new threat or method, experts expect ransomware-as-a-service (RaaS) to become more widely used in 2021. Honest businesses also commonly use the as-a-service model across software and infrastructure. This type of ransomware allows cybercriminals to purchase a subscription and then use the malicious code to launch attacks.

Because this allows threat actors without technical backgrounds to launch attacks, RaaS greatly expands the possible numbers of attacks. Before this, ransomware attacks were expensive to launch because a skilled developer would have to create a unique variant of an infection. With RaaS, cyber criminals launching attacks only pay for the services they use. They often pay a percentage of the ransom collected to the RaaS vendor. By creating a business model selling ransomware, developers are more protected from detection because they are not the ones launching the attacks.

RaaS attacks often begin as phishing attacks. The IBM X-Force Definitive Guide to Ransomware suggests performing surprise mock phishing exercises to collect metrics on who clicks on suspicious links or attachments. Also, consider removing executable attachments sent through email to block potential threats.

Attacks Against Schools

The switch to remote learning in 2020 opened schools up to digital attacks. During August and September 2020, 60% of all ransomware attacks were against K-12 schools, the FBI says. That’s a 30% increase over the previous two months. In late November 2020, Baltimore schools closed remote and in-person learning for a week due to a large-scale ransomware attack. Huntsville, Alabama, schools endured a similar closing, with staff and students instructed not to log in during the closure. As a response, the Cybersecurity and Infrastructure Security Agency recently launched a new ransomware awareness initiative focused on K-12 schools through education and resources.

A lack of training around this issue for teachers, the majority of educators using their own devices and a lack of budgets for defensive tools all contribute. With remote learning, attackers now have many more endpoints to access. In addition, more users are remotely logging in to a system. With some children attending school remotely at learning and daycare centers, many students may be using unsecured and public wireless networks.

The IBM X-Force Definitive Guide to Ransomware recommends creating an incident response plan to allow schools to act quickly during a ransomware attack. Because end users are often the first to encounter a ransomware attack, the guide also says that role-based training can be critical to preventing attacks.

How to Avoid Ransomware

In addition to the specific tips above, there are some general guidelines for ransomware prevention for your home, school or business. The IBM X-Force Definitive Guide to Ransomware explains that it’s particularly malicious because no administrative privileges are needed to launch an attack. The guide also stresses that all ransomware attacks are not equal. Ransomware that is not mitigated with decryption keys or resolved through reverse engineering carries a much higher risk of damage than other types of attacks.

Like everyone else, I’m hoping the remainder of 2021 brings lots of good news. And even with the increased attacks, there is at least some good news. By being prepared, you can reduce the risk of being a victim. Even more importantly, you can reduce the damage if you are a victim. The IBM X-Force Definitive Guide to Ransomware provides detailed steps about how to develop a comprehensive incident response plan. Within this, it provides detailed directions for different scenarios and types of attacks.

You are taking the first step toward protecting your data and infrastructure by reading this article. And now it’s time to take the rest of the steps — proactive actions toward protecting your data and infrastructure.

Download the guide

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…