TL;DR: Average ransomware payments have increased by 450% since 2019, and Chainalysis says attacks in 2021 were still on pace to extort hundreds of millions of dollars while threat actors diversified infrastructure and targeting. The governance problem is no longer only intrusion prevention, but containment, payment decisioning, and identity-driven recovery controls.
NHIMG editorial — based on content published by Chainalysis: Ransomware 2021: Critical Mid-year Update
By the numbers:
- Average ransomware payments have increased by 450% since 2019.
Questions worth separating out
Q: What breaks when ransomware actors can use legitimate privileged accounts?
A: When attackers can operate through legitimate privileged accounts, detection gets harder and containment slows down.
Q: Why do privileged identities make ransomware incidents harder to contain?
A: Privileged identities expand what an attacker can reach after the first foothold.
Q: What do security teams get wrong about ransomware recovery?
A: Many teams assume recovery is mainly a backup problem.
Practitioner guidance
- Audit privileged access paths used for recovery Map every admin, backup, and remote support account that can restore systems or disable protections.
- Shorten credential exposure windows Rotate high-risk secrets, API keys, and administrative credentials on a fixed schedule and after any suspicious access event.
- Isolate backup and restoration identities Keep restoration accounts in a separate trust domain where possible, with distinct logging and approval paths.
What's in the full report
Chainalysis's full report covers the operational detail this post intentionally leaves for the source:
- Original 2021 ransomware activity data with trend breakdowns that help security teams benchmark the scale of the problem.
- Discussion of third-party ransomware infrastructure providers and how the ecosystem is evolving operationally.
- Analysis of attacks from nation-state-aligned threat actors and what that means for response planning.
- Recommendations for attacking the ransomware problem head-on, beyond the strategic framing covered here.
👉 Read Chainalysis’s mid-year ransomware report for 2021 activity and trend analysis →
Ransomware payments surged in 2021, what should teams do now?
Explore further
Ransomware is now an identity governance problem, not just a malware problem. The article’s numbers point to a threat economy that rewards stolen credentials, excessive privilege, and slow recovery. Once attackers can operate as legitimate users or admins, traditional perimeter assumptions collapse and the cost of delay rises quickly. Practitioners should treat privileged identity control as part of ransomware resilience, not a separate IAM programme.
A question worth separating out:
Q: Who is accountable when ransomware payment decisions are made?
A: Accountability should sit with a defined incident governance process that includes security, legal, executive leadership, and operational owners. The decision is not only financial. It also reflects whether identity controls, backup isolation, and recovery readiness were sufficient to avoid reaching a negotiation stage in the first place.
👉 Read our full editorial: Ransomware payments surged in 2021 as extortion scaled up