Threat Intelligence

Top 6 ransomware strains to watch out for in 2020

Daniel Brecht
December 10, 2020 by
Daniel Brecht

Ransomware remains the number one security risk to businesses and users, even though attacks have slowed down — or have they? Key findings from the 2020 Verizon Data Breach Report show that about “27% of malware incidents were ransomware.” In particular, according to Verizon's DBIR, it actually accounted for 60% of malware affecting the public administration sector. “Even with fewer detections, ransomware remains a threat as operators arm malware with new capabilities to aim for bigger targets” that pay heftier sums, says the Trend Micro 2020 Midyear Cybersecurity Report.

As ransomware becomes more and more sophisticated, cybercriminals attempt to get access to sensitive data which is becoming a greater issue especially in industries like manufacturing, banking and financial services as well, of course, breaches that affect government operations.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Top ransomware in 2020

At the top of the 2020 list are the Sodinokibi, Maze and Ryuk ransomware families, according to recently published data from the Check Point and IBM Security X-Force Incident Response teams. Based on the trend, these ransomware families are expected to remain big threats in 2021, as suggested in the key findings from Malwarebytes and Sophos reports. Even so, let’s take a look at some of the actors in the 2020 ransomware theater.

1. Sodinokibi

Sodinokibi (also known as Sodin) is a type of REvil attack and an attempt to fill the GandCrab void with objectives of encrypting files on infected systems and asking for a ransom to decrypt them. It is a ransomware-as-a-service (RaaS) that is able to spread through a variety of means, including unpatched virtual private networks (VPNs), exploit kits (i.e., a malicious toolkit used to exploit security holes primarily for running a distributed malware infection campaign, especially ransomware and breach/exfiltration), remote desktop protocols (RDPs) and spam. It should be noted that “Sodinokibi ransomware attacks account for one in three ransomware incidents,” per IBM Security X-Force.


SNAKE (EKANS spelled backwards) is “one of the more concerning ransomware strains in 2020”; it was first identified in mid-December 2019 and makes up 6% of the ransomware attacks. The threat targets mainly industrial networks and is able to kill industrial control system (ICS) processes, stop virtual machines and grab the credentials of an administrator before encrypting all files on the network. This leaves the victim with no choice but to pay the ransom.

3. Maze ransomware

Maze ransomware was discovered in 2019 and has quickly made news for being responsible for the publication of sensitive data belonging to victims in the healthcare sectors. However, companies like Xerox Corporation also happen to be one of the recent targets of the Maze ransomware operators, who stole more than 100GB of files. Exploit tools like Fallout and Spelvo were between the most common means of infections, but payloads are also now being distributed through virtual machines to bypass endpoint defenses in an easier way. 

This malware gets a special mention, but it might actually not be a problem in 2021, as the group behind it announced at the end of October 2020 that it intended to cease operations and retire Maze without any further legacy. If this will be confirmed, it will be good news, as Maze accounted for 12% of all the ransomware attacks so far this year and has targeted victims in Europe and North America, especially in the professional services sector.

4. Ryuk

Ryuk, which is often dropped on a system by other malware (e.g., Emotet and Trickbot), is a threat that continues to surge. Ryuk’s campaign have been used lately to target health and medical organizations during the COVID-19 pandemic via email phishing and exploit kits, to name a few of the threat actors distributing the ransomware. 

Data from Check Point Research, which studied and analyzed this wave of recent attacks, showed a steady increase in the number of healthcare organizations targeted by Ryuk ransomware globally: from 2.3% in Q2 to 4% in Q3.

5. Phobos

Phobos is a RaaS variant that strikes smaller companies and individuals, where attackers have gained access to a network via an unprotected RDP port, encrypting files (possibly with AES in CBC mode) and pursuing a ransom payment for data decryption. 

Discovered recently (early 2019) Phobos has elements of CrySiS ransomware and is possibly distributed by the same group, Dharma. It has already shown several variants and, unfortunately, victims have sometimes been unable to recover their data even after paying the ransom. In any case, the event still proved to be longer to resolve than other ransomware attacks, due to the complexity of the restore tool needed for recovery.

6. DoppelPaymer

DoppelPaymer, an updated version of BitPaymer, is the threat actor responsible for the Emotet, Dridex and Locky distribution campaigns that target hospitals or nursing homes these days and will likely continue this approach during the COVID-19 pandemic. What’s unique about this method is that, according to SecurityWeek: “No ransom amount is included, but users are provided a URL for a TOR-based payment portal that looks almost identical to the original BitPaymer portal.”

Ransomware trends

Ransomware such as REvil, DoppelPaymer, Nemty, Ryuk, Sodinokibi and Phobos continue to evolve in 2020 and are promising to exploit victims well into 2021 collecting millions in ransoms.

  • “In Q1, nearly 60% of ransomware attacks were carried out by the three most common variants (Sodinokibi, Maze, Phobos).” It was found that Sodinokibi (used in 26.7% of attacks), Ryuk (19.6%) and Phobos (7.8%) were the top ransomware strains, as seen from the market share rankings. It’s also worth mentioning the average ransom demand for a Ryuk infection rose by around 62.5%. The average enterprise ransom payment increased to $111,605, up 33% from Q4 of 2019, according to the Coveware Ransomware Marketplace Research report.
  • In Q2, only 30% of attacks were attributed to the top three families (Sodinokibi, Maze, Phobos). In Q2, the average ransom payment was $178,254, a 60% leap from the $111,605 average in Q1.
  • In Q3, “Check Point Research saw a 50% increase in the daily average of ransomware attacks, compared to the first half of the year.” Maze and Ryuk were the top ransomware types in this period.
  • In Q4, we expect to see a variety of malicious campaigns and cyber actors related to the COVID pandemic (in fact, Trend Micro Research found coronavirus-related emails with malicious attachments being sent to users) as well as the US elections infrastructure subject to ransomware attacks where any number of voters’ data could be held for ransom.

What you need to know about ransomware in 2020

The Coveware ransomware marketplace report, which aggregates trends from enterprise ransomware incidents, had in Q1 of 2020 seen an upsurge of threats as a result of the COVID-19 outbreak and with businesses shifting to remote work due to the pandemic. In fact, the Trend Micro 2020 Midyear Cybersecurity Report, “Securing the Pandemic-Disrupted Workplace,” documented a surge of nearly 9 million COVID-19-related threats from January to June 2020.

Looking ahead to 2021

Security experts have speculated that more sophisticated and coordinated ransomware attacks are likely to increase from 2020 to 2021, targeting everyone from local government entities to large organizations with the aim of encrypting their data and asking for money to unlock it. Even so, sensitive info may still be stolen, even when intruders are paid off. 

Here’s an example: “In November 2019, the Maze Ransomware operators transformed ransomware attacks into data breaches after they released unencrypted data of a victim who refused to pay,” reports This extortion tactic was quickly adopted by other groups: “For the first time, the operators behind the Sodinokibi Ransomware have released files stolen from one of their victims because a ransom was not paid in time.” What’s more, while Nemty Ransomware created a data leak site to punish those who refuse to pay ransoms, DoppelPaymer Ransomware and BitPyLock Ransomware are also threatening to sell or publish a victim's stolen files if non-compliant.

Conclusion and recommendations

The cost of ransomware is trending upwards and costing businesses hundreds of thousands or even millions of dollars. Cybercriminals target organizations — no matter their size or industry — that have weaker security controls in place and take less caution to protect themselves and their data, going after the highest payback for the least effort.

What can a business do to protect itself even when not having a full security team on its payroll? 

  • Know what ransomware is, who it targets, how and where. (Be aware of the Top 5 ways ransomware is delivered and deployed.) Stay informed in the present and likely future security environment by reading updated whitepapers, reports and informative articles on current trends and dangers so as to spot the most common ways for infections and most common consequences.
  • Understand the risks and the potential damages that ransomware could bring to the organization. What would the consequences be if data was held hostage or if full operations could not be restored in a timely fashion?
  • Learn how to prevent, detect and recover from ransomware attacks, as this is crucial to protecting your business.
  • Develop a cyber resilience strategy that includes using an anti-ransomware software tool to mitigate potential attack vectors and avoid the spread of the infection.
  • Launch a proper security awareness training program to reduce the threat. Those who regularly train staff to recognize ransomware can help them avoid common lures. Lacking of cybersecurity preparedness and poor user security training awareness are the cause of vast majority of infections


Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.