Stats & Trends
Jonathan Crowe
Feb 2017

2017 Ransomware Trends and Forecasts

Photo by Charles Clegg

After a year of massive growth, what changes are on the horizon for ransomware in 2017?

Ransomware exploded into a billion-dollar industry in 2016. That type of money is creating a gold-rush atmosphere for cyber criminals, with demand for and supply of new ransomware variants and delivery platforms both booming.

What's in store for organizations looking to protect their data from ransomware in 2017? And how will ransomware attacks continue to mature and evolve? Here are five important ransomware trends currently making big waves, along with forecasts for how we see them playing out over the next 12 months.

Ransomware Trend #1: Targeted attacks on businesses are becoming more frequent


Photo by Scott Miller

2017 Forecast: Even if overall attack volume dips down, expect the frequency of targeted attacks to continue to climb.

Last year we saw more ransomware attacks target more businesses more often, and there’s no indication of that trend reversing in 2017.

While the majority of ransomware still targets consumers, the number of attacks directed at organizations is growing at a more rapid pace. According to researchers at Kaspersky, attacks on businesses increased 3x in 2016, compared to a 2x rate of increase in attacks on individuals.

Every 10 seconds, a consumer gets hit with ransomware.

(up from every 20 seconds in Q1 2016)

Every 40 seconds, a company gets hit with ransomware.

(up from every 2 minutes in Q1 2016)

Tweet this

The reasons for the shift are almost certainly profit-driven. Successful ransomware attacks against individuals typically net the attackers around $500 in Bitcoin. Infecting a business, on the other hand, represents a much bigger potential payday, especially if the attack can disrupt critical services and/or sensitive information.

Recent ransom demands against organizations have ranged from $17,000 in the case of Hollywood Presbyterian Medical Center to $28,000 in the case of Los Angeles Valley College to accounts of ransoms greater than $150,000 reported by respondents to this Osterman Research survey.

More criminals will target businesses with ransomware in 2017 simply because — in the immortal words of American American bank robber Willie Sutton — "that's where the money is."

Ransomware Trend #2: Phishing email attachments have become the #1 delivery vehicle for ransomware


Photo by Sarah Richter

2017 Forecast: Email attachments should stay on top, but watch for exploit kits to start creeping back up.

Pardon the overused cliche, but…

Let’s say your network is a castle. To protect it, you spend a lot of time and resources surrounding it with walls and moats. But can you really be sure when attackers show up in a Trojan horse the folks you’re trying to protect inside won’t open the gates and wheel it in?

One wrong click by a user can lay the best laid (and most expensive) security plans to waste.

Tweet this

Attackers know this, and that’s why email is such a popular and successful infection vector for them. They can reach users directly and — using increasingly believable phishing tactics — trick them into triggering a ransomware payload.

In 2016, those payloads were primarily hidden in either Microsoft Office documents (see macro-based malware) or JavaScript attachments disguised as innocuous files. In fact, over 96% of phishing emails analyzed by Proofpoint in Q3 2016 were distributing Locky, primarily through one of those two attachment types.

That’s an astonishing commonality among phishing emails, and barring some major prolonged drop-off in botnet traffic*, it’s difficult to imagine email attachments losing their top spot as the most prominent delivery vehicle for ransomware in 2017.

* To date, Locky distribution has been heavily tied to mass phishing campaigns delivered via the Necurs botnet, one of the largest networks of compromised devices in the world. When Necurs experiences outages — such as in June of 2016 and in January of this year — Locky payload delivery plummets.

That said, don’t be surprised to see a resurgence of exploit kits this year and slight increases when it comes to malvertising, drive-by downloads, and malicious URLs. Things have been extremely quiet in terms of exploit kit traffic since several high-profile arrests and the disappearance of the Angler EK… a little too quiet. According to Proofpoint, “total exploit kit activity fell by 65% in Q3 vs. Q2 and by 93% from January to September.”


Exploit kit traffic took a nose-dive in 2016 / Proofpoint

That’s a significant drop-off that could be attributable to any number of factors in addition to the take down of the crew behind Angler. But even if you believe companies and end users have generally gotten better at patching, it’s hard to shake the feeling that we’re due for other kits to rise up and finally start filling the void that Angler left behind in a more meaningful way, especially to power more malvertising.

Trend #3: New ransomware variants are being churned out at an alarming rate


Photo by Alden Jewell

2017 Forecast: There’s no sign of things slowing down.

In addition to number of attacks, another way to chart the growth of ransomware is by looking at the increase in ransomware variants.

Depending on the source you cite, growth in the number of ransomware variants that appeared in the wild during 2016 increased anywhere from a factor of 11x (Kaspersky) to a factor of 30x (Proofpoint). Either way, that's a massive jump.

The number of ransomware variants grew by a factor of 30x in 2016.

Tweet this



Criminals know a cash cow when they see one. Experts estimate ransomware generated $1 billion last year. With that kind of money "up for grabs" the demand for ransomware programs and platforms has skyrocketed. Malware authors have been only too happy to provide a ready supply (often just needing to make the slightest, most superficial alterations in the code to have a piece of ransomware slip past antivirus unrecognized and undetected).

Worse, thanks to the arrival of ransomware-as-a-service platforms, it’s easy for criminals with even the most basic technical knowledge to create their own ransomware. By signing up for Cerber ransomware's "affiliate program" for example, they can get everything they need to launch a ransomware campaign (including a management portal) in exchange for agreeing to pay the developers a 40 percent cut of the ransom profits.

The success of this licensing program has made Cerber one of the most prominent and active ransomware families. Researchers at Check Point estimated criminals had used Cerber to infect 150,000 victims in July 2016, generating roughly $195,000 (developer cut: $78,000) in that month alone.

In May, researchers at Invincea analyzed a Cerber campaign in which modified versions of the ransomware with unique hashes (think of them like a malware sample's fingerprints) were being created every 15 seconds.

More recently, researchers at Microsoft reported the number of Cerber infections they had detected during the 2016 - 2017 holiday season had surpassed Locky and every other ransomware variant.

Clearly, "more" is working for criminals. In 2017, the number of variants should continue to rise, spurred on by continued demand as well as the need to stay one step ahead of security software blacklists (learn why we decided to avoid the traditional signature blacklisting game and block ransomware with behavioral analytics).

Trend #4: Once attacked, the majority of organizations are getting infected

ransomware infections statistics.jpg

Photo by James Sutton

2017 Forecast: Infection rates will get better, but only after criminals force the issue by taking backup recovery out of the equation.

For all the headlines and eye-popping statistics, the truth is the majority of ransomware attacks directed at U.S. organizations have only been partially successful.

On one hand, criminals have been wildly effective getting it onto victims' machines and encrypting victim data.

Infection rates are high. According to a survey we recently conducted, 71 percent of organizations that had experienced ransomware attacks suffered successful infections where data was encrypted (and in some cases, lost for good). The vast majority had multiple layers of security in place, but none of it prevented the attack from infecting one or more machines.

Nearly 3/4 of organizations targeted by ransomware attacks don't have security in place that can prevent infection.

Tweet this

But when it comes to convincing victims to pay to regain access to their data, results appear to be fairly dismal. Very few organizations actually pay the ransom, even after successful attacks — results from a Osterman Research survey conducted with ransomware victims indicated that only 3 percent of U.S. companies paid up.

ransomware payment stats.png

Osterman Research

Of course, a skeptical take on that low number is that it could be misleading — a lot of victims might not be comfortable confessing they paid. That may indeed account for a small portion of responses, but it's also true the majority of victims are able to avoid paying the ransom thanks to their ability to recover at least some if not all of their encrypted files from backup.

Are we relying too much on backup recovery? Let's back up...

Backup can certainly provide a handy rescue from some very bad situations, and every organization should absolutely have a regularly tested backup solution in place. But there are a couple of problems with relying on backup as as anything more than a last-ditch fail-safe.

First, it doesn't always work perfectly. According to our survey responses, 58 percent of ransomware victims weren't able to fully recover everything with backup.

Second, backup doesn't do anything to resolve the fact that suffering a ransomware attack means a criminal has successfully compromised and established a foothold on your network. Cyber crooks are well aware of the major kink backup recovery puts in their extortion plans. So what are they doing about it? Experimenting with other ways of leveraging that established foothold to their advantage.

Which brings us to trend #5...

Trend #5: Encryption was just the beginning — ransomware criminals are raising the stakes

stakes of ransomware.jpg

Photo by Robin Corps

2017 Forecast: We'll see more server vulnerabilities exploited and "Doxware" will go mainstream.

Perhaps as a reaction to the low infection to payment ratio, we're seeing several new ransomware tactics designed to do the following:

  • dial up the widespread damage caused by infections in order to make recovery more difficult
  • introduce new attack consequences such as threatening to release captured data publicly instead of simply destroying it
  • steal victim info and credentials as an additional way of monetizing their attack

For example, we're seeing ransomware attacks now exploiting vulnerabilities in servers and databases (see SamSam attacks targeting hospitals with unpatched JBoss servers and the more recent ransacking of 28,000 MongoDB databases).

Not only are criminals able to infect large numbers of victims at once by automating these attacks, they're also able to extend the reach of their infections to multiple systems per victim. That can cause more damage and potential downtime, putting more pressure on victims to resolve the issue quickly.

The biggest change to ransomware in 2017, however, may have less to do with how victims are getting infected and more to do with what happens afterwards. In a significant shift in extortion methods, we've started seeing some criminals threaten not to delete captured files, but to release them publicly (a tactic known as doxing).

For victims that manage sensitive private customer data (healthcare providers, law firms, financial services, etc.), the threat of that data getting posted online for the world to see (and for other criminals to abuse) can completely change the equation of whether or not they decide they have to pay.

Not only are such exposures impossible to deal with quietly or sweep under the rug, they can also open victims up to regulatory fines and all the negative publicity that comes with a public data breach event.

With "doxware," simply wiping the infected systems and recovering from backup no longer makes the problem go away.

Tweet this

Variants of the ransomware Jigsaw have been spotted incorporating doxing, notifying victims that their data has been uploaded to a server and that copies will be sent to all of their contacts unless payment is made.

In January 2017, hackers attempted to extort an Indiana-based cancer services provider for $43,000 by threatening not only to leak private patient data online but also to send patients, their family members, and the organization's donors harrassing messages.

Examples like these represent dark new developments in the evolution of ransomware. Whether they'll become standard operating procedure is anyone's guess, but one thing is certain — once a new tactic is proven to be profitable it doesn't tend to stay on the fringes for very long.

Free Guide: Now that you know what's coming next learn how to protect your organization accordingly

Get up to speed with how ransomware is evolving and develop a clear action plan for preventing and responding to ransomware attacks. Check out our Complete Guide to Ransomware.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


2017 Malware Trends in Review

How attacks are evolving and what to expect next.

Get my report


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.