Stats & Trends
Jack Danahy
Dec 2016

The Biggest Changes in Ransomware: 3 Predictions for 2017

Photo by William Hook

Update: With ransomware evolving faster than ever, new approaches to protection are being developed. Learn more about how IT pros are turning to runtime malware defense to stop ransomware attacks before any files are encrypted.

As a business, ransomware had a banner year. Profits are estimated to reach $1 billion by the end of 2016. For its victims, the costs were actually much higher, with the Atlantic estimating the full bill, including lost productivity, at around $75 billion. This issue isn’t going away anytime soon.

Ransomware has proven to be so successful and so profitable that one of the safest predictions we can make is that the people profiting from it are going to continue to expand and improve their approaches. The real question heading into 2017 is, “How will these criminals evolve their model to increase their victim count and their revenue?”

As you’re taking stock and planning your commitments, a smart thing to do is consider how attackers may leverage user, system, and organizational vulnerabilities to expand their opportunities, increase their effectiveness, and boost their profits.

Since ransomware isn’t going away, here are three predictions for how we’ll see it advance in 2017:

1) Ransomware will add the threat of public disclosure

Why? The threat of disclosing private records, either a file at a time or in one catastrophic dump, will greatly increase the odds of victims paying the ransom.

This evolution is likely because ransomware attacks against U.S. organizations have hit a major snag — too few U.S. companies are paying the ransom (or at least admitting they are).

Ransomware Paid by Country Osterman Research.png

Osterman Research

According to a Barkly survey conducted with 150 IT professionals who had experienced ransomware attacks, only 5% reported that their organization had paid.

Witnessing their success in other markets (both among consumers and in the rest of the world), there obviously exists more available market if the threat can be expanded beyond data encryption and destruction. This means finding an approach that is not addressed by countermeasures that businesses believe protect their data: reliable data backup.

The ability of companies to recover their data from backups, instead of from criminals, has been widely viewed as taking the sting out of ransomware attacks. Common best practices to prepare for ransomware attacks are centered on data recovery, and those backups make for less painful cleanup when an attack happens.

Backup has become an obstacle for criminals relying on ransomware for revenue because organizations believe that good backups eliminate the downtime and data loss associated with ransomware. As a result, we expect to see increased occurrence of ransomware demands that include a threat to release private information if it’s not paid, completely changing the equation of whether or not to give in.

There are already ransomware variants that are experimenting with this approach. First spotted in April, Jigsaw ransomware not only encrypts a victim’s data, but threatens to send copies of those stolen files to all of the victim’s contacts.


When you consider the types of organizations that are being hit most with ransomware — healthcare providers, universities, law firms, etc. — the additional threat of doxxing (publishing private or identifying information publicly) is especially concerning. If hospitals allow private patient medical records to be publicly exposed, they're going to be in deep, deep trouble.

This type of attack will convert ransomware from a critical service issue to a matter of public data breach. The average cost of just one lost or stolen medical record is $355, and the average total cost of a data breach is $4 million, numbers much higher than the usual ransomware demand.

Healthcare providers aren’t the only predictable targets. Any industry that deals with sensitive information — law firms, banks, and even police departments — could be more susceptible to ransomware extortion if the threat involves publicly releasing data rather than just withholding or destroying it.

2) Ransomware infections will spread more quickly and easily

Why? Paydays are bigger when the ransoms are associated with broad and debilitating ransomware attacks.

Most ransomware campaigns have been focused at attempting to corrupt large numbers of individual systems, conducted in much the same way as a mass email marketing blast; Send out a large barrage of phishing emails with ransomware payloads and expect that while the the majority will fail, there will be a handful of ripe victims per campaign. Rack up a large enough number of attempts and that small percentage of successful attacks begins to add up to real money.

The goal of these mass campaigns is to make the decision to pay as much of a no-brainer as possible to as many victims as possible. Keeping the ransom low, generally fluctuating between $300 and $700 per attack, has traditionally made it a reasonable option to avoid a large amount of work or downtime.

According to recent reports, however, ransomware demands may be trending upward, thanks in part to a rise in targeted attacks directed against specific businesses. Survey data from the IBM X-Force research team, for example, indicates more than half of businesses that paid to get their data back paid ransoms over $10,000. Twenty percent of the victims paid ransoms over $40,000.

These increases indicate ransomware criminals are beginning to shift their strategy to attacking businesses instead of individual consumers, demanding more from victims who will have more to give. To make a compelling case to businesses, attackers will need to develop ways of making their attacks more damaging and disruptive by increasing the number of systems and users they disable.

We’re already seeing ransomware that spreads widely and can shut down entire businesses. The attack on Hollywood Presbyterian Medical Center, which had to shut down services due to a ransomware infection in February, is a good example. Loss of access to patient records caused widespread disruption. Staff were forced to revert back to relaying messages and doing paperwork by hand. Some forms of critical patient care ground to a halt. Some patients were even turned away and sent to other hospitals.

After 10 days of downtime, the hospital paid a ransom of $17,000 to get their systems back up and functioning. With estimated losses of over $100,000 per day from disruption to CT scans alone, it would have been understandable if they’d paid far more (initial accounts misreported the demand as $3.6 million).

This case highlights the fact that data encryption is actually only one lever that criminals can pull to extort their victims. General disruption is another. The greater the disruption, and the greater the importance of the disrupted services to the organization’s operations, the more that victims can be convinced to pay.

A key to maximizing that disruption is enabling ransomware to spread and self-propagate more easily. Virlock is one example of a move in this direction. By adopting traditional parasitic virus techniques, not only does it encrypt victim files, it also changes its appearance (polymorphs) and then infects them with malicious code that quickly spreads the attack from one machine to many.

3) Fileless ransomware will grow fast

Why? Because it bypasses scanners and signature-based AV, raising the likelihood of infection at less sophisticated organizations.

The most common ransomware delivery technique is phishing emails with malicious attachments, as it has been for the last couple of years. Infected Microsoft Office documents that leverage macros continue to be a popular choice, as do JavaScript attachments, which are often disguised as other attachment types.

Indexed Weekly Malicious Volume by Attack Type Proofpoint.png


These techniques have been so prevalent that even modestly experienced security teams are taking steps to keep their AV updated, filter out attachments, and limit mixing of public and private email accounts on organization assets. Criminals are also aware of these preventative measures and we're seeing sophisticated techniques for ransomware delivery that evade detection thanks to fileless approaches to infection.

For example: We recently discovered a new variant of Kovter, a malware family known for click-fraud and ransomware, that leverages JavaScript and PowerShell to embed its executable elements into locations within the Windows registry. This allows it to gain persistence and avoid detection by file-scanning antivirus and antimalware software because there is no file to scan.

We expect there to be an even greater push towards new types of fileless attacks in 2017, which by their nature are not easily identified by the traditional endpoint security tools that most companies (particularly the most vulnerable companies) are running.

How ransomware protection needs to change

Most security people will be predicting an increase in ransomware this year. But as we saw in 2016, an increased volume of attacks isn’t the only change we should expect. Criminals will continue to adjust their delivery, infection, and evasion tactics to make their attacks more successful and profitable. To ensure security keeps pace with their evolution, we all need to continue innovating to identify new protection opportunities across every stage of the ransomware attack cycle, and not just look to improve our reaction and recovery times.

The increasing threat posed by ransomware’s toxicity and communicability makes it clear that the area most in need of attention is prevention, specifically against the first steps of the infection. Traditional security thinking discounts the focus on outright prevention in favor of response — because no security can be 100% effective against all threats, response will always be needed. This philosophy has led many organization to over-invest in monitoring, incident management, and recovery while short-changing the actual target of most attacks — the user system or endpoint. This is one of the reasons we have seen ransomware thrive.

At Barkly, we’ve invested the last several years in creating a new form of protection that recognizes the malicious behaviors of ransomware and other malware families, stopping them before they can actually get control of the system, steal or encrypt data, set up a controller and spread. This approach does more than close the gaps that traditional endpoint solutions leave, it also presents the users with information on the threats they are inviting in, teaching them about their mistakes in the moment they occur. It informs the administrators so they can help to reinforce those lessons, look for trends, and better understand their security, overall.

Ransomware is going to continue to evolve and advance. To counter those advancements we need to continue to develop our own innovations. That means applying the same amount of creativity, ingenuity, and research into this challenge as the criminals do.

Looking for ransomware protection for your company in 2017? Learn more about Barkly.

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.