Data Protection Tool

12 key findings from Datto’s 2020 Ransomware Report

Picture of Tracy Rock

Tracy Rock

Director of Marketing @ Invenio IT



Datto has released its annual ransomware report and, as expected, the numbers continue to paint a grim picture.

As in previous years, Datto surveyed more than 1,000 managed service providers (MSPs) all over the world to gauge the types of threats that their clients are facing this year, particularly small and medium businesses (SMBs).

Given the COVID-19 pandemic and the added stress it has placed on businesses, including healthcare systems, ransomware has become an even more dangerous threat. With more people working from home than ever before, businesses are facing new vulnerabilities that leave them exposed to an attack.

Here are some of the most troubling findings from Datto’s ransomware report.

1) 70% say ransomware is the top malware threat

Ransomware remains the leading threat to SMBs with nearly 70% of IT providers citing it as the most common malware risk.

When ransomware encrypts a business’s data, it has the potential to bring operations to a halt. In some industries, such as healthcare, this could even place people’s lives in harm’s way, in addition to causing costly downtime.

Following ransomware, some of the other major threats to SMBs include viruses, adware and spyware. Less common, but still disruptive, threats include remote access trojans, keyloggers and worms.

2) 59% say remote work has made ransomware worse

While most managed service providers agree that the COVID-19 pandemic has had an impact on the security of businesses, they are split on how big of an impact this has been. A common concern among IT professionals is that employees who are working remotely don’t always use the highest security practices and may be more susceptible to deceptions like phishing emails.

  • Close to 60% of MSPs indicated that remote work stemming from the COVID-19 pandemic led to an increased rate of ransomware attacks.
  • 52% of MSPs believe that shifting work to the cloud led to major security vulnerability issues.
  • The most common industries targeted by ransomware attacks during the pandemic have been healthcare (reported by 59% of MSPs), finance (50%) and government institutions (45%).

3) Only 30% of IT providers say their clients are concerned about ransomware

When it comes to the perceived danger of ransomware, there remains a troubling disconnect between small businesses and the MSPs who manage their IT.

While the vast majority of MSPs (84%) say they are “very concerned” about ransomware, far fewer say their clients share the same fear. Only 30% report that their clients are as concerned. This disconnect is one of the biggest reasons why small and medium businesses continue to remain vulnerable.

The good news, however, is that SMBs have been allocating more money to combat increased cybersecurity threats, such as ransomware. About half of all MSPs reported that their clients increased their cybersecurity budgets in 2020. This could be a sign that more businesses are taking the threat seriously, even if they aren’t yet as concerned as their IT providers.

4) The level of concern varies around the world

Interestingly, the perceived danger of ransomware seems to vary depending on where the business is located.

Based on geographic distribution, Datto reports that companies in Europe overall are taking ransomware attacks less seriously than companies in other parts of the world. Just 19% of MSPs in Europe say their clients are “very concerned” about ransomware, compared to 31% in North America and 33% in the Asia-Pacific region.

5) 95% of IT providers say they’re being targeted too

While MSPs agree that ransomware remains the biggest threat to SMBs, MSPs are also noticing that their own businesses are increasingly being targeted.

It’s no coincidence. Hackers know that if they can penetrate an IT provider, it can open up a goldmine of potential for attacking other businesses.

Datto writes: “In attacks like these, hackers use MSP credentials to access and spread ransomware to their clients. In other words, by compromising an MSP, cybercriminals get more bang for their buck.”

5) Phishing emails remain a common entry method

Datto’s ransomware report indicates that phishing attacks remain a common method of ransomware execution. Using phishing tactics, criminals deceive users with emails and login pages that are disguised as recognizable communications. When the user enters their login information, the hackers retrieve that information, giving them access to systems where they can lay their ransomware footprint.

Some of the other common vulnerabilities cited by IT providers include:

  • Weak security practices by users
  • Weak passwords and/or unsecure password management
  • Lack of cybersecurity education
  • Open RDP access
  • Clickbait
  • Malicious websites

For all of these reasons, it is critical that businesses use routine training to educate all employees on the safest practices for email and web.

6) Attacks continue to be devastating

Close to two-thirds of IT providers report that their clients’ productivity was significantly impacted as a result of the ransomware attack. Close to 40% of them indicated that the downtime their clients suffered was a threat to the overall survival of their businesses.

7) Average ransom demands held steady

High-profile attacks over the last year have involved staggeringly high ransom demands, sometimes in the millions of dollars. However, Datto’s research reveals that most attacks don’t usually reach these figures.

According to MSPs, the average ransom request ranges between $5,500 and $6,000, which is roughly the same as it was in 2019.

8) The cost of downtime increased by 94%

In a ransomware attack, the cost of operational downtime usually far outweighs the cost of the ransom demand.

The costs of that downtime nearly doubled in the past year, according to Datto’s report, increasing from $141,000 to $272,000 per incident, on average. When you compare this year’s figure with 2018, the costs of downtime have increased by 486%.

The average downtime cost in 2020 was nearly 50 times greater than the ransom requested.

9) Ransomware 2020 continues to get around basic cybersecurity efforts

Even though companies are spending more on cybersecurity today than they did in the past, traditional security measures are often not enough to stop a ransomware infection.

50% of surveyed IT providers said ransomware got around their client’s antivirus/anti-malware solutions. Among those solutions, here are the kinds that MSPs said weren’t enough to stop the attack:

  • Anti-malware filtering measures (i.e. email-, network- and web-based): 59%
  • Legacy signature-based antivirus: 42%
  • Endpoint detection and response: 24%
  • “NextGen” anti-virus: 12%

Savvy ransomware attackers are working hard to find ways to get around all of these protective measures. But since many infections stem from social engineering—i.e. phishing emails—sometimes even the strongest cybersecurity technologies will not be enough to stop an attack.

That is why it is important to take a multilayered approach to cybersecurity. The most important component of this, in terms of prevention, is user training. Since phishing attacks continue to be the most common way that criminals gain access to a network, it is important for every user to remain vigilant.

Businesses should also assume that an attack is inevitable – and that is where BCDR solutions are essential.

10) 91% say a BCDR Solution is vital for recovering from ransomware

The overwhelming majority of MSPs surveyed for the report indicate that clients with BCDR solutions in place are far less likely to experience significant downtime following a ransomware attack.

If businesses end up with all of their files encrypted in a ransomware attack, they can remain operational by restoring their data from a backup copy. Recovering a clean backup restores files back to normal and effectively removes the infection as well. But it’s critical that the backup system is able to take frequent backups (limiting the amount of lost data in between backups) and offer fast, dependable recovery options.

These are areas in which the Datto SIRIS overwhelmingly excels, helping SMBs rapidly recover from even the worst ransomware attacks. SIRIS also has built-in ransomware protection which helps to detect signs of an infection with each new backup.

11) 92% see no end in sight

92% of surveyed IT providers say that ransomware attacks are here to stay for the foreseeable future. Most MSPs believe that ransomware attacks will continue at the same rate, while a significant proportion predict that attacks are only going to get worse.

Some other key statistics:

  • Close to 80% of MSPs report that one or more of their SMBs have reported at least one ransomware attack during the past two years.
  • Nearly 60% say their SMB clients suffered an attack in the first half of 2020.
  • Just over 10% indicate that they have had clients suffer multiple ransomware attacks in a single day.

12) CryptoLocker is still #1

There are numerous types of ransomware “in the wild,” and each one infects devices in slightly different ways. However, the biggest names in ransomware largely haven’t changed over the last couple years.

MSPs say that CryptoLocker is the most common variant affecting their clients, as it has been for the past 5 years. The next 4 most common variants include WannaCry, Cryptowall, Locky, Emotet and Petya.

Ransomware 2020: Learn More About Data Protection in Today’s Climate

See how BCDR solutions from Datto can protect your organization from ransomware and other common causes of data loss. Request a free demo or contact our business continuity professionals at Invenio IT. Give us a call today at (646) 395-1170 or email

Get the Ultimate Guide to Data Loss Prevention & Recovery for SMBs
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles