Future of Ransomware: 2022 and Beyond

Throughout 2021, cyberattacks continued to increase, with ransomware accounting for 38% of all breaches in 2021.  

So, what does this say about ransomware moving into 2022?    

This blog will answer this question and highlight:      

  • How ransomware looked in the past.    
  • How ransomware presents today.   
  • What future ransomware attacks will look like, and how to respond to them.    
Sapphire Cyber Security: security awareness training for ransomware threats

Ransomware of the Past: 1989-2020

In 1989, Joseph Popp used the post to distribute floppy disks to over ninety countries from a PC Cyborg Corporation. The malware remained dormant until they turned on the PC.

After that, the virus encrypted the files and demanded a payment of $189 (£140) and a further $378 (£280) for the software release.    

Since then, ransomware attacks have become increasingly sophisticated, with many targeting larger organisations to get the highest possible ransom payment.

For example, RyUK operated between 2019 and 2020, targeting large organisations to obtain this higher ransom payment. This form of ransomware is estimated to have made around $150 million (£112 million) for the attackers.    

In 2018, SamSam ransomware remained undetected until it discovered vulnerabilities in the system; after that, it would encrypt data and demand a ransom to decrypt it.

Sapphire Cyber Security: ransomware prevention and data recovery for ransomware threats

Present Ransomware: 2021-January 2022     

In 2021 alone, the Verizon Data Breach Investigations Report suggested that ransomware doubled in frequency over the previous year, accounting for ten per cent of all cyberattacks in the past year.    

Attacks on SMBs    

Forbes suggested that: ‘FBI’s Internet Crime Complaint Center found a 20 percent increase in reported ransomware incidents and a 225 percent increase in ransom amounts.’ Additionally, only ‘51 percent of small businesses don’t have any resources for cyber security’ 

As a result, cybercriminals who target SMBs realise that smaller organisations have limited in-house cybersecurity resources, making them more vulnerable than larger organisations that often employ large IT experts teams.    

Increasing Sophistication    

Gone are the days of Joseph Popp; ransomware wears various faces in the present day. The early signs of sophisticated attacks are harder to detect by IT experts and are therefore capable of more damage than ever before.    

An example of this is DarkSide, a cybercriminal group that attacked the Colonial Pipeline in May 2021. The group provides Ransomware as a Service (RaaS) which supplies criminals with the means to launch attacks via admin control panels to payment systems.   

One DarkSide ransomware attack in August 2020 sent out a quasi-press release, which offers web chat support and an intricate dark leak storage system with redundancy.   

Supply Chain Attacks    

By 2021, cybercriminals successfully focused their ransomware attacks on supply chains. Attackers gain access via a third party’s compromised system.   

On the 2nd of July 2021, a series of supply chain attacks surfaced in thousands of companies throughout 17 different countries.   

Sapphire Cyber Security: ransomware groups working on encrypting files
Check Point: Average number of ransomware attacks per organisation per week by industry – April 2021

Prominent Ransomware Attacks in 2021   

Kia Motors

DoppelPaymer carried out the ransomware attack in 2021. They threatened to publish exfiltrated data within two to three weeks if Kia Motors didn’t pay 404 Bitcoins.

The attack made Kia Motors have a nationwide IT and phone system outage.   


In March 2021, Acer suffered a REvil ransomware attack and shared some images of stolen files as proof of their breach. The attack demanded £37,232,250.  

Colonial Pipeline Company

The Colonial Pipeline was the highest-profile ransomware attack of 2021. The DarkSide group quickly gained access to the system as the business did not use multi-factor authentication.

The ransomware attack forced Colonial Pipeline (responsible for bringing 50% of the US East Coast’s fuel) to pause all operations.

They eventually paid the $4.4 million (£3,276,174) with the FBI’s help. However, by June 2021, the Department of Justice recovered 50% of the ransom.

Sapphire Cyber Security: ransomware victims as a result of phishing attacks

Future of Ransomware: 2022 and Beyond     

As ransomware is such a prolific cyber attack, it will not disappear anytime soon. However, as we start 2022, it is time to look ahead to see what ransomware holds for us in the future.   

Criminals are now taking active steps to exfiltrate corporate data for increased leverage to     

However, ransomware is likely to develop with an ever-evolving threat landscape.   

‘Despite the progress, ransomware is not going away in 2022. A robust ransomware defence strategy can only fortify its cybersecurity posture for the enterprise.’     

Sapphire Cyber Security: future of ransomware and ransomware threat actors

Ransomware as a Service (RaaS)    

Many RaaS services are on the Dark Web on a subscription basis. RaaS enables criminals to launch ransomware attacks by signing up for their services.

It is a common type of CaaS (Cybercrime as a Service) and requires very little technical knowledge.   

ENISA (European Union Agency for Cyber Security) experts have even suggested that triple extortion ransomware increases the frequency.

They have cited research suggesting that DDoS attacks as the triple extortion vector are frequently used and even focus the ransom on the victim’s clients, leading to quadruple extortion.   

Fraudulent Calls      

Back in December 2021, Hellmann had a cyber-attack. After a thorough forensic investigation, Hellman extracted the data from its servers before attackers took its systems offline.

Hellmann’s Incident Response team suggested contacting government authorities and warning customers and partners of fraudulent calls and emails.   

Initial Access Brokers (IABs)    

As financially motivated threat actors, initial access brokers work to profit from the sale of remote access to enterprise networks.   

They have simplified the attack chain by asking for payment for verified access to a target.   

Most initial access brokers gain access primarily through:    

  • Remote Desktop Protocol (RDP)    
  • Virtual Private Network (VPN)    
  • Web shells and remote access software    
Sapphire Cyber Security: attack to evade detection

Final Thoughts   

Ransomware remains one of the highest priority challenges for organisations of all sizes and across all sectors in 2022.  

“Ransomware is the fastest-growing cybercrime for a reason,” says Steve Morgan, founder at Cybersecurity Ventures and editor-in-chief at Cybercrime Magazine. “It’s the proverbial get-rich-quick scheme in the minds of hackers.”   

As a result, ensuring preventative measures and planning for an attack on your organisation is essential to mitigate risk.  

Enjoyed reading our blog on the future of ransomware?

Get in touch with our expert team for more information about how to prevent and prepare your organisation for ransomware attacks! 

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *