Ransomware Double Extortion 2021: Victim profiling

In the period of time between January and May 2021, Ransomware has done nothing but confirmed itself as the primary threat in the global IT security landscape.

The spike in infections and strains that had begun to appear around the end of 2019, has only increased with a consequent evolution of TTPs (Tactics, Techniques, and Procedures) adopted and honed by different groups of Criminal Hackers, which now have evolved into full-fledged Cyber Crime cartels.

In particular double extortion has risen to prominence. With this in mind, Swascan’s SoC as a Service Team has undertaken an analysis of the profiles of the victims targeted by Criminal Hackers.

In particular, through specific OSINT & CLOSINT researches, the data concerning the Ransomware victims who had their data published on the Darkweb has been collected and analysed.

Swascan has studied 18 Ransomware strains which now use Double extortion as their fixture and the sites where the data is published.

Ransomware Double Extortion 2021

The approach was the following:

  1. Identify the Darkweb sites of the analysed Ransomware groups;
  2. Identify the targeted companies which had their data published on Darkweb portals;
  3. Clustering information related to victims in terms of:
  • Geographic area
  • Volume of published data
  • Turnover of affected firms
  • Strains involved



Figure 1: An example of a Double extortion website in
which the data is published


Focusing on the top 8 countries in terms of the number of cases detected, it is possible to observe that the number of victims that had their data published reaches 511 cases.

Figure 2: Geographical distribution of victims with data published in double extortion sites

As can be seen from this first chart (Figure 2), North America stands out as the absolute leader
for companies with published information with 69.8% of strains hitting between the US and
Canada. The former remains in the lead with 317 companies involved in the period between
January 2021 and May 2021.

Canada follows with 40 instances, while the podium is closed by France with 34.







Cyber Threat Intelligence: what it is and how does it work?
Lenovo and Swascan collaborate to fix security issue

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.