Ransomware statistics for 2020: Year in summary

Report Ransomware statistics for 2021

2020, the year of the pandemic, was another lucrative year for ransomware. As nations around the world scrambled to slow the spread of the virus, cybercriminals attempted to capitalize on the chaos.

With attack surfaces expanded, sensitive company data being accessed from vulnerable devices and remote staff inevitably cutting corners on normal security protocols, COVID created the perfect environment in which ransomware could thrive.

RDP became the attack vector of choice as threat actors preyed on ad-hoc remote working implementations, while ransomware groups pivoted their existing infrastructure to launch COVID-themed attacks that sought to exploit the public’s interest in the ongoing health crisis.

The security challenges of COVID were exacerbated by threat actors’ rapid uptake of data exfiltration. Inspired by data-leak pioneers Maze, dozens of other ransomware groups began incorporating data theft into their attacks and using the stolen data as leverage to coerce victims into paying. Non-payment usually resulted in the stolen data being sold, auctioned, or, more commonly, published on the attacker’s leak site for all to see.

Over the course of 2020, various ransomware groups retired or fizzled out and were replaced by newcomers or reemerged under new names. Perhaps the most notable retirement was that of Maze, an extremely prolific ransomware group that announced in November that it would be shutting down operations. This year, we also saw Microsoft take down 94 percent of the servers belonging to TrickBot, an enormous botnet comprised of at least one million infected devices that operators would commonly rent to ransomware gangs.

The following statistics are based on 506,185 ransomware submissions made to Emsisoft and ID Ransomware between January 1 and December 31, 2020. Created by Emsisoft Security Researcher Michael Gillespie, ID Ransomware is a service that enables organizations and individuals to identify which ransomware strain has encrypted their files and provides a free decryptor should one be available.

Note: We estimate that only 25 percent of victims make a submission to Emsisoft or ID Ransomware, so the real number of incidents is probably significantly higher.

Most commonly reported ransomware strains of 2020 (including STOP)

The following chart shows the 10 most commonly reported strains of 2020. STOP/Djvu was by far the most frequently submitted ransomware strain, accounting for 71.20% of all submissions.

  1. STOP (Djvu): 71.20%
  2. Phobos: 8.90%
  3. Dharma (.cezar Family): 7.90%
  4. REvil / Sodinokibi: 3.40%
  5. LockBit: 1.90%
  6. GlobeImposter 2.0: 1.70%
  7. Magniber: 1.70%
  8. Makop: 1.30%
  9. Avaddon: 1.10%
  10. Zeppelin: 1.00%

Most commonly reported ransomware strains of 2020 (STOP excluded)

The following chart shows the 10 most commonly reported strains of 2020 with STOP/Djvu submissions excluded.

  1. Phobos: 29.90%
  2. Dharma (.cezar Family): 26.80%
  3. REvil / Sodinokibi: 11.40%
  4. LockBit: 6.40%
  5. GlobeImposter 2.0: 5.70%
  6. Magniber: 5.70%
  7. Makop: 4.30%
  8. Avaddon: 3.80%
  9. Zeppelin: 3.20%
  10. Cryakl: 2.80%

Most ransomware submissions by country

The following chart shows the 10 countries that accounted for the most ransomware submissions, with STOP submissions included.

  1. India: 27.40%
  2. Indonesia: 15.10%
  3. USA: 10.90%
  4. Egypt: 10.00%
  5. Pakistan: 8.90%
  6. Brazil: 8.00%
  7. South Korea: 7.60%
  8. Philippines: 4.50%
  9. Turkey: 4.20%
  10. Italy: 3.40%

Number of submissions by month and year

The following chart shows the number of submissions by month, with STOP submissions included.

  2019  2020  % Change 
January  24,935  39,855  59.84 
February  17,833  42,294  137.17 
March  20,381  41,097  101.64 
April  20,851  53,494  156.55 
May  27,114  44,565  64.36 
June  28,861  38,153  32.20 
July  29,108  39,607  36.07 
August  45,382  39,438  -13.10 
September  56,542  41,323  -26.92 
October  56,545  31,997  -43.41 
November  68,707  48,444  -29.41 
December  54,123  45,918  -15.16 
Total  450,382  506,185  12.39 


Number of submissions by quarter

The following chart shows the number of submissions by quarter, with STOP submissions included.

2019 2020 % Change
Q1 63,149  123,246  95.17 
Q2 76,826  136,212  77.30 
Q3 131,032  120,368  -8.14 
Q4 179,375  126,359  -29.56 


The total number of ransomware submissions increased by 12.39% between 2019 and 2020. Q1 saw a dramatic year-on-year increase of 95.17%, while the number of submissions in Q4 dropped by 29.56%. The biggest fluctuations in the number of submissions occurred in April (156.55%), February (137.17%) and March (101.64%).

Of the 587 ransomware variants submitted over the year, STOP/Djvu was by far the most common. There are more than 160 confirmed variants of STOP, which collectively accounted for 71.20% of all submissions in 2020. Some older strains of STOP can be decrypted with our free STOP decryption tools, but newer variants cannot be decrypted.

More than half of all submissions (52.60%) in 2020 came from just 10 countries. While ransomware is a truly global threat, the data indicates that Asia was perhaps the most commonly targeted region. With six nations in the top 10 (including transcontinental Turkey), Asia accounted for more than a third (35.70%) of all ransomware submissions in 2020. India had the most ransomware submissions in each quarter this year and was responsible for 14.40% of all submissions in 2020.

Further reading

Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next