21 ransomware groups were prominent in data exfiltration attacks during 2020. The top six groups - Maze, Conti, Egregor, DoppelPaymer, NetWalker and REvil - are responsible for attacks on 80% of the total victims. Top ten targeted countries constitute 87% of the total victims. The USA was the most targeted country, with 56% of the victims. More than half of the victims were American. The second most targeted country was Canada, with 8% of the victims. This huge gap emphasizes even further the focus on the USA. Almost all the top ten targeted countries are Western countries, while there are no former Soviet Union republics (FSU), including Russia, in the list of targeted countries. The focus on Western countries suggests a more targeted nature of the ransomware attacks, in sharp contrast to the classic ransomware attacks, which were more indiscriminate and random in nature. The absence of FSU countries from the victims list may potentially suggest the operators of the ransomware gangs are from these countries. HERE ARE THE KEY FINDINGS DRAWN FROM OUR RESEARCH: Alongside the “double extortion” tactic, another trend that has emerged in recent years, is that ransomware attacks are becoming less indiscriminate and more focused and targeted on high-value and high-profile enterprises and entities. This also reminded us of nation-state actors, whose attacks are very focused and targeted in nature. Thus, besides conducting a statistical analysis of the ransomware attacks that involved data exfiltration/leakage to draw conclusions on the “double extortion” trend, we also used this analysis to check if ransomware gangs are becoming more similar to state-sponsored actors in other aspects. Manufacturing is the leading industry with over 30% of the total targeted industries. The top six industries, manufacturing, financial services, transportation, technology, retail and government & defense constitute 70% of the total targeted industries. The targeting of Industrial Control Systems (ICS) by ransomware gangs bears similarities to nation-state actors, since these attacks are known to require advanced skills and knowledge, usually associated with nation-state actors. While ransomware gangs are becoming more sophisticated, it is important to note that nation- sponsored actors have also been observed to increasingly use ransomware in their attacks. The operators behind prominent ransomware attacks in 2020 commonly abused two notable vulnerabilities: CVE-2019-19781 and CVE-2019-11510, both were also popular among state-sponsored groups. 4 | The Ransomware Landscape