Your single source for new lessons on legal technology, e-discovery, and the people innovating behind the scenes.

Bad Actors Around the World: Global Ransomware Trends from Q2 2021

Kyle Kurdziolek

Ransomware has consistently been the hot topic of 2021. From the existing threat actors to the newer players angling for the opportunity to get access to ransomware targets, the ransomware landscape is ever changing. As Calder7 compiled our reports on the security landscape in various regions during the second quarter of this year, it became quite clear that the trend isn’t anywhere close to finished.

During this period, we have seen ransomware operators become more prolific based on targets, the ransom they demand, and the variety of tactics used. Even in the criminal underground, however, being popular does come with a price: The unwanted attention that previous ransomware variants received has sparked government initiatives globally to stop these types of attacks.

While such initiatives may have forced some of these operators to go into hiding, it has also caused new variants to rise from the shadows.

Ransomware as a Service

Ransomware as a Service (RaaS) has been one of the more successful “business models” (and yes, threat actors often do treat it as a business) in the criminal underground over the past few years. The success of this model has been largely due to cybercriminals coming together collectively to achieve their goals: make the most money in the shortest possible time, without getting caught. Unfortunately for everyone, it is working.

The main reason why this works is the wide variety of industries that have been affected by ransomware attacks. The range of industries, particularly from healthcare, technology, financial, and legal industries, are the hottest targets due to the limited levels of protection many organizations have in place, the amount and quality of the data that can be stolen, and the amount of ransom that can be demanded. This results in organizations pushing harder to reduce their risk surface, based largely on a distaste for the dollar amounts they have sacrificed just to get their data back.

While companies strategize to reduce their risk, there is still a puzzle to be solved by people working the cyber frontline: the question of whether these ransomware operators are actually cybercriminals or if they play a part in nation-state attacks.

Nation-state actors tend to aim at specific targets to increase their economic opportunities while avoiding sanctions, fund their military initiatives, or simply to sow chaos and discord in enemy nations. In contrast, cybercriminals grab more of the “low-hanging fruit” that won’t cause too much of a stir or garner unwanted attention.

While the goals of nation-state actors and cybercriminals are different, you can draw parallels between the two because of one thing: money. The RaaS business model has matured quite quickly over time and is becoming increasingly complex as more ransomware variants come into existence. This model can prove ideal for nation-state actors who want to use or change the ransomware variant so that it can’t be traced back to their respective group. This is something that nation-state actors see as a minimal-effort hurdle to getting paid.

All of this sounds frightening, but rest assured: Even with the organizational complexity of cybercriminals, many precautions can be taken to help keep you and your organization safe.


The most effective steps you can take to reduce the risk of falling victim to ransomware attacks are to increase phishing awareness in your organization and to increase knowledge of vulnerabilities in your technology.

Business email compromise is still the number one attack vector that malicious actors use to compromise your organization. Attackers will use these credentials for their own attacks or post them for sale in the dark web. Promoting security awareness training through phishing simulations, training videos, and guidelines on how to identify a phishing email are great ways to promote defensive behaviors and awareness.

Enforcing two-factor authentication is another way to hinder attackers trying to get inside your organization.

Still, even with user awareness and extra blankets of password protection, it is also imperative to know what vulnerabilities remain unpatched within your organization.

Ransomware operators, aside from phishing attacks, tend to use widely known and available vulnerabilities to get access to your critical assets. As a result, they will spread the infection as widely as possible for the most impact. It is critical to know which assets are internet-facing and to remove any that pose an imminent risk to the business. Also remember to disable any unnecessary services that are running on those servers in order to best protect them.

Prioritizing vulnerability management can help drive down the overall risk you face. While in parallel, develop mitigation strategies such as network/host detections and prevention mechanisms to gain visibility across systems and be more proactive in protecting your organization.

It Is Not Over

Ransomware will continue to be the topic of 2021, but that doesn’t mean all is lost. Understanding the mechanisms of RaaS and how cybercriminals think is one piece of the larger puzzle.

Relativity’s Calder7 security team has just released a collection Q2 Regional Ransomware Landscape Updates covering the North America (NAM), Asia Pacific (APAC), and Europe, Middle East, and Africa (EMEA) regions. These reports highlight a series of notable events across the regions with unique risks and mitigations to consider when defending against ransomware.

Download the reports via the Relativity Community site to dig deeper and gain a better understanding of the threats your organization may face—and how to beat them.

Artwork for this article was created by Sarah Vachlon.

Visit the Relativity Community to Download the Q2 Ransomware Landscape Updates

Kyle Kurdziolek is a senior cybersecurity analyst at on Relativity's Calder7 security team.