<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">

Ransomware by the Numbers: Must-Know Ransomware Statistics 2016

ransomware_statistics_2016_updated.jpg

Ransomware is now the #1 security concern for organizations. See the stats behind its record growth in 2016.

Throughout the first half of 2016, we saw ransomware continue to wreak havoc. Attacks are up, ransom demands are up, and with every new Bitcoin payment deposited, not only is there new incentive for criminals to improve their technology and techniques, there's new incentive for more criminals to get in on the action.

As a result, ransomware is now reaching a new level of maturity. The majority of malware included in phishing emails and exploit kits is currently ransomware. With the demand for it rising, supply of ransomware has gotten increasingly competitive. Criminal groups have hacked and released competeting groups' decryption keys. They've also established ransomware-as-a-service models, where any would-be criminal can utilize their software, regardless of their technical knowledge. 

How has the threat of ransomware been evolving in 2016? And where are things headed? To help you get a better sense of it, we've collected the following telling statistics. 

Once you're done reading these, be sure to check out our eBook, The Complete Guide to Ransomware. It's full of actionable advice you can use to improve your organization's security posture and keep your employees safe. 

Part 1: The Ransomware Business is Still Booming

Nearly 50 percent of organizations have been hit with ransomware

Ransomware_victims_last_12_months.png

Source: Osterman Research

According to a June 2016 survey from Osterman Research, almost one out of every two participants indicated their organization had suffered an at least one ransomware attack in the past 12 months. In addition, just four percent of respondents from U.S. organizations said they were very confident in their current security’s ability to prevent a future attack.

 

56,000 ransomware infections in March 2016, alone

Ransomware_Infections_by_Month.png

Source: Symantec

Throughout the majority of 2015, the average number of ransomware infections fluctuated between 23,000 and 35,000 per month, according to Symantec. The spike to 56,000 in March 2016 coincided with the arrival of Locky (more on Locky below), distributed primarily by the Necurs botnet, one of the largest networks of infected computers in the world.

 

$209 million was paid to ransomware criminals in Q1 2016

Source: CNN

Estimates from the FBI put ransomware on pace to be a $1 billion dollar source of income for cyber criminals this year. The agency pointed to a jump in cases where victims reported bigger losses, and also hinted that the actual ransom payment totals may be even larger since many choose not to report the crime. 

 

The average ransom demand is now $679

Average_ransom_amount_2016.png

Source: Symantec

That’s more than double the average demand of $294 observed during attacks in 2015. The success of several high-profile, high-demand attacks, such as the $17,000 ransomware attack on Hollywood Presbyterian Medical Center in February, may be contributing to the rise.

 

Prior to an attack, 4 out of 5 organizations are confident backup can provide them with complete recovery

Source: Barkly

In a survey we conducted with IT pros from over 300 organizations, nearly 100% reported they were actively backing up their data. Out of those who had not yet experienced a ransomware attack, 81 percent said they were confident they would be able to recover any data attackers encrypted from backup, without paying the ransom.

 

Less than half of ransomware victims fully recover their data, even with backup

Source: Barkly

Of the IT pros we surveyed who had experienced a ransomware attack, only 42 percent reported being able to successfully recover all their data from backup. Common reasons for incomplete backup recovery included unmonitored and failed backups, loss of accessible backup drives that were also encrypted, and loss of between 1-24 hours of data from the last incremental backup snapshot.  

 

Only 5 percent ever consider paying the ransom an option

Source: Barkly

Despite several high-profile examples of organizations willing to pay the ransom to recover their data, plus advice from the FBI recommending as much (at least until they revised their stance in late April), the overwhelming majority of the IT pros we surveyed said they have never and would never consider paying the ransom.

Not only did many consider it a matter of principle, there was also a healthy dose of skepticism that paying would actually result in them getting their data back. As Kansas Heart Hospital learned the hard way in May, criminals don’t always follow through with their promises to decrypt the data.

 

Part 2: Infection Trends

Email is the #1 delivery vehicle for ransomware

Ransomware_delivery_channels.png

Source: Osterman Research

Emails with malicious links and malicious attachments account for 59 percent of ransomware infections. According to the Osterman Research survey, users are more than twice as likely to be infected by clicking something in an email than visiting an infected website directly. Big takeaway: Don’t click it, no support ticket.

 

7 out of 10 malicious email attachments delivered Locky in Q2 2016

Top_email_malware_payloads.png

Source: Proofpoint

If one of your users got their files encrypted after opening a malicious email attachment in Q2, chances are it was Locky. Typically hidden in MS Word documents and executed by leveraging macros, Locky has quickly become one of the most prevalent ransomware families out there. It’s almost exclusively distributed via spam email campaigns powered by the Necurs botnet (notorious for also distributing the Dridex banking trojan).

While its use of Necurs has certainly expanded Locky’s reach, relying on one primary distribution channel also means that when it goes down (as Necurs did in early June) your ransomware effectively goes down with it. Unfortunately, the outage only appeared to last roughly three weeks before Necurs was back up and running delivering more Locky email campaigns.

 

Nearly two-thirds of exploit kits have ransomware payloads

exploit_payload_stats_may_2016.png

Source: Malwarebytes

Phishing emails may be the top delivery vehicle for ransomware, but exploit kits are dropping their fair share of the stuff, too. In fact, in just five months (from December 2015 to May 2016), ransomware jumped from being included in just 17 percent of exploit kits to being the most popular payload by far.

exploit_payload_stats_dec_2015.png

Source: Malwarebytes

That said, exploit kit traffic has plummeted since the disappearance of the Angler EK in early June. Up to that point, Angler had been the dominant exploit kit (accounting for 60 percent of total EK traffic). In its absence, exploit kits like Neutrino and RIG are now vying to slowly fill the vacuum.

Exploit_kit_traffic_Q2_2016.png

Source: Proofpoint

 

Part 3: What’s Next: The Evolution of Ransomware

600% growth in new ransomware families since December 2015

Growth_in_ransomware_families.png

Source: Proofpoint

With more and more criminals flocking to ransomware as a source of cheap and easy income, ransomware authors have scrambled to meet the demand. According to Trend Micro, 50 new ransomware families were discovered in the first five months of 2016. That’s easily on pace to surpass the 100 new ransomware families that Symantec says were discovered last year, total.



4x jump in Android ransomware

android_ransomware.png

Source: Kaspersky

It may not get the attention PC-based or even IoT device-based ransomware does, but Android ransomware has quietly been building steam towards a full-on onslaught. From April 2015 to March 2016, Kaspersky observed ransomware attacks on 136,532 Android users, four times the number they saw during the previous twelve month period.



230 percent jump in JavaScript ransomware payloads

Rise_in_JavaScript_ransomware.png

Source: Proofpoint

Delivering ransomware in Word documents is so 2015. Well, okay, not quite. Infected Word docs are still very much a thing, but according to analysis from Proofpoint, they’ve actually been eclipsed by a major new trend of using JavaScript file attachments to install ransomware payloads.

Why JavaScript? Because it can do anything a regular application can do without raising the red flags of being a .exe. Plus, since Windows doesn’t show file extensions by default, criminals can also easily disguise .js files so they appear to be innocuous .txt files, etc.

See this post from Naked Security to learn more about JavaScript ransomware, then take a second to change Windows settings to show file extensions.

 

Learn more how to keep your employees safe from ransomware.

The good news is there are concrete steps you can take to protect your organization from ransomware. Check out our free guide The Complete Guide to Ransomware. It has good general advice for any organization looking to improve security. 

Topics: Stats & Trends, Ransomware Protection

Get Advanced Ransomware Protection

Proactively stop attacks before they encrypt your files or do any damage.

Block Ransomware

Stay Informed!

Get the latest security news delivered along with clear, actionable insights.
All in plain English.