Ransomware statistics for 2021: Q4 report

Report Ransomware statistics for 2021

Over the course of 2021, we’ve seen an unprecedented level of legal action taken against ransomware actors – a trend that continued into Q4.  

In late October, Europol announced the arrest of 12 individuals suspected to be affiliated with the LockerGoga, MegaCortex and Dharma ransomware operations. Also in October, prolific ransomware group REvil was forced to cease activity after its servers were compromised during a successful U.S. Cyber Command operation. Then, in November, the FBI arrested a Ukrainian national and REvil affiliate allegedly responsible for the devastating ransomware attack on American software company Kaseya in July 2021; and a Russian national, who was charged with conducting REvil ransomware attacks on multiple targets in Texas in August 2019. 

Q4 marked more anti-ransomware initiatives from the White House, including the signing of the Enhancing K-12 Cybersecurity Act, which aims to promote access to information, better track cyberattacks nationally and provide school districts with more cybersecurity resources. The White House also hosted a two-day virtual ransomware summit with government representatives of 30 nations in attendance. Following the summit, the participating countries released a joint statement recognizing “the need for urgent action, common priorities, and complementary efforts to reduce the risk of ransomware.”  

But it wasn’t all good news. The healthcare sector was involved in a number of high-profile incidents in Q4, including an attack on the Los Angeles branch of Planned Parenthood in which the personal information of approximately 400,000 patients was compromised. A couple of weeks later, an attack on the healthcare systems of Newfoundland and Labrador, Canada, resulted in threat actors gaining access to 14 years’ worth of patient and employee information.  

The following statistics are based on data from 149,308 submissions to Emsisoft and ID Ransomware, a service that enables victims to identify which ransomware strain has encrypted their files by uploading the ransom note, a sample encrypted file and/or the attacker’s contact information. It also directs the user to a decryption tool, should one be available.  

Note: We estimate that only 25% of victims make a submission to Emsisoft or ID Ransomware, so the real number of incidents is probably significantly higher.  

Most commonly reported ransomware strains of Q4 2021  

The following chart shows the 10 most commonly reported strains of Q4, which collectively made up 88.70% of all submissions this quarter. A ransomware family known as STOP/Djvu was by far the most common strain, accounting for 76.20% of all submissions.  

Top 10 most commonly reported ransomware strains of Q4 2021 (STOP included)

  1. STOP (Djvu): 76.20% 
  2. Phobos: 2.90% 
  3. Zeppelin: 1.80% 
  4. GlobeImposter 2.0: 1.30% 
  5. eCh0raix / QNAPcrypt: 1.20% 
  6. Magniber: 1.20% 
  7. LolKek: 1.20% 
  8. Makop: 1.10% 
  9. Dharma (.cezar family): 1.00% 
  10. LockBit: 0.80% 

Most commonly reported ransomware strains of Q4 2021 (STOP excluded)  

The following chart shows the 10 most commonly reported strains of Q4 with STOP submissions excluded.  

Top 10 most commonly reported ransomware strains of Q4 2021 (STOP excluded)

  1. Phobos: 12.10% 
  2. Zeppelin: 7.70% 
  3. GlobeImposter 2.0: 5.50% 
  4. eCh0raix / QNAPcrypt: 5.20% 
  5. Magniber: 5.20% 
  6. LolKek: 5.20% 
  7. Makop: 4.60% 
  8. Dharma (.cezar family): 4.40% 
  9. LockBit: 3.50% 
  10. 0XXX: 3.00% 

Most ransomware submissions by country  

The following chart shows the 10 countries that accounted for the most ransomware submissions, with STOP submissions included. These 10 countries made up 61.80% of all global submissions this quarter.  

Top 10 most ransomware submissions by country of Q4 2021

  1. Indonesia: 18.40% 
  2. India: 13.60% 
  3. Egypt: 8.10% 
  4. Brazil: 6.20% 
  5. Pakistan: 4.00% 
  6. United States: 3.00% 
  7. South Korea: 2.90% 
  8. Algeria: 2.30% 
  9. Germany: 1.80% 
  10. Bangladesh: 1.50% 


There was a drop in ransomware submissions this quarter, with submissions decreasing from 181,051 in Q3 to 149,308 in Q4 – a decrease of 17.53%. 

STOP/Djvu was by far the most commonly submitted ransomware variant in Q4, accounting for 76.20% of all submissions, down slightly from 76.40% in Q3. STOP typically spreads through pirated software and cracking tools, and consequently tends to impact a large volume of home users. 

In Q4, we saw a new addition to the list of most commonly submitted strains: LolKek. LolKek is a variant of BitRansomware, a strain that has been around since mid-2020. REvil, the seventh most common ransomware strain in Q3 was absent from the top 10 list in Q4, possibly due to the aforementioned Cyber Command operation that prompted REvil to shut up shop.  

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Just 10 countries accounted for more than 6 in 10 (61.80%) of all global ransomware submissions this quarter. India, which has accounted for the most submissions every quarter since we began recording this data, was notably not the leading submitter this quarter. In Q4, that title went to Indonesia, which made 18.40% of all submissions, up from 15.10% in Q3. The United Kingdom and the Philippines, which accounted for 2.3% and 1.5% of submissions respectively in Q3, were replaced in Q4 by Algeria (2.3%) and Germany (1.8%).  

Further reading  

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next