Stats & Trends
Jonathan Crowe
Aug 2016

Ransomware by the Numbers: Must-Know Ransomware Statistics 2016


Ransomware is now the #1 security concern for organizations. See the stats behind its record growth in 2016.

Note: See our updated list of 2017 ransomware statistics here

Throughout the first half of 2016, we saw ransomware continue to wreak havoc. Attacks are up, ransom demands are up, and with every new Bitcoin payment deposited, not only is there new incentive for criminals to improve their technology and techniques, there's new incentive for more criminals to get in on the action.

As a result, ransomware is now reaching a new level of maturity. The majority of malware included in phishing emails and exploit kits is currently ransomware. With the demand for it rising, supply of ransomware has gotten increasingly competitive. Criminal groups have hacked and released competeting groups' decryption keys. They've also established ransomware-as-a-service models, where any would-be criminal can utilize their software, regardless of their technical knowledge.

How has the threat of ransomware been evolving in 2016? And where are things headed? To help you get a better sense of it, we've collected the following telling statistics.

Once you're done reading these, be sure to check out our eBook, The Complete Guide to Ransomware. It's full of actionable advice you can use to improve your organization's security posture and keep your employees safe.

Part 1: The Ransomware Business is Still Booming

Nearly 50 percent of organizations have been hit with ransomware


Osterman Research

According to a June 2016 survey from Osterman Research, almost one out of every two participants indicated their organization had suffered an at least one ransomware attack in the past 12 months. In addition, just four percent of respondents from U.S. organizations said they were very confident in their current security’s ability to prevent a future attack.

56,000 ransomware infections in March 2016, alone



Throughout the majority of 2015, the average number of ransomware infections fluctuated between 23,000 and 35,000 per month, according to Symantec. The spike to 56,000 in March 2016 coincided with the arrival of Locky (more on Locky below), distributed primarily by the Necurs botnet, one of the largest networks of infected computers in the world.


$209 million was paid to ransomware criminals in Q1 2016


Estimates from the FBI put ransomware on pace to be a $1 billion dollar source of income for cyber criminals this year. The agency pointed to a jump in cases where victims reported bigger losses, and also hinted that the actual ransom payment totals may be even larger since many choose not to report the crime.

The average ransom demand is now $679



That’s more than double the average demand of $294 observed during attacks in 2015. The success of several high-profile, high-demand attacks, such as the $17,000 ransomware attack on Hollywood Presbyterian Medical Center in February, may be contributing to the rise.

Prior to an attack, 4 out of 5 organizations are confident backup can provide them with complete recovery


In a survey we conducted with IT pros from over 300 organizations, nearly 100% reported they were actively backing up their data. Out of those who had not yet experienced a ransomware attack, 81 percent said they were confident they would be able to recover any data attackers encrypted from backup, without paying the ransom.

Less than half of ransomware victims fully recover their data, even with backup


Of the IT pros we surveyed who had experienced a ransomware attack, only 42 percent reported being able to successfully recover all their data from backup. Common reasons for incomplete backup recovery included unmonitored and failed backups, loss of accessible backup drives that were also encrypted, and loss of between 1-24 hours of data from the last incremental backup snapshot.

Only 5 percent ever consider paying the ransom an option


Despite several high-profile examples of organizations willing to pay the ransom to recover their data, plus advice from the FBI recommending as much (at least until they revised their stance in late April), the overwhelming majority of the IT pros we surveyed said they have never and would never consider paying the ransom.

Not only did many consider it a matter of principle, there was also a healthy dose of skepticism that paying would actually result in them getting their data back. As Kansas Heart Hospital learned the hard way in May, criminals don’t always follow through with their promises to decrypt the data.

Part 2: Infection Trends

Email is the #1 delivery vehicle for ransomware


Osterman Research

Emails with malicious links and malicious attachments account for 59 percent of ransomware infections. According to the Osterman Research survey, users are more than twice as likely to be infected by clicking something in an email than visiting an infected website directly. Big takeaway: Don’t click it, no support ticket.

7 out of 10 malicious email attachments delivered Locky in Q2 2016



If one of your users got their files encrypted after opening a malicious email attachment in Q2, chances are it was Locky. Typically hidden in MS Word documents and executed by leveraging macros, Locky has quickly become one of the most prevalent ransomware families out there. It’s almost exclusively distributed via spam email campaigns powered by the Necurs botnet (notorious for also distributing the Dridex banking trojan).

While its use of Necurs has certainly expanded Locky’s reach, relying on one primary distribution channel also means that when it goes down (as Necurs did in early June) your ransomware effectively goes down with it. Unfortunately, the outage only appeared to last roughly three weeks before Necurs was back up and running delivering more Locky email campaigns.

Nearly two-thirds of exploit kits have ransomware payloads



Phishing emails may be the top delivery vehicle for ransomware, but exploit kits are dropping their fair share of the stuff, too. In fact, in just five months (from December 2015 to May 2016), ransomware jumped from being included in just 17 percent of exploit kits to being the most popular payload by far.



That said, exploit kit traffic has plummeted since the disappearance of the Angler EK in early June. Up to that point, Angler had been the dominant exploit kit (accounting for 60 percent of total EK traffic). In its absence, exploit kits like Neutrino and RIG are now vying to slowly fill the vacuum.



Part 3: What’s Next: The Evolution of Ransomware

600% growth in new ransomware families since December 2015



With more and more criminals flocking to ransomware as a source of cheap and easy income, ransomware authors have scrambled to meet the demand. According to Trend Micro, 50 new ransomware families were discovered in the first five months of 2016. That’s easily on pace to surpass the 100 new ransomware families that Symantec says were discovered last year, total.

4x jump in Android ransomware



It may not get the attention PC-based or even IoT device-based ransomware does, but Android ransomware has quietly been building steam towards a full-on onslaught. From April 2015 to March 2016, Kaspersky observed ransomware attacks on 136,532 Android users, four times the number they saw during the previous twelve month period.

230 percent jump in JavaScript ransomware payloads



Delivering ransomware in Word documents is so 2015. Well, okay, not quite. Infected Word docs are still very much a thing, but according to analysis from Proofpoint, they’ve actually been eclipsed by a major new trend of using JavaScript file attachments to install ransomware payloads.

Why JavaScript? Because it can do anything a regular application can do without raising the red flags of being a .exe. Plus, since Windows doesn’t show file extensions by default, criminals can also easily disguise .js files so they appear to be innocuous .txt files, etc.

See this post from Naked Security to learn more about JavaScript ransomware, then take a second to change Windows settings to show file extensions.

Learn more how to keep your employees safe from ransomware.

The good news is there are concrete steps you can take to protect your organization from ransomware. Check out our free guide The Complete Guide to Ransomware. It has good general advice for any organization looking to improve security.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.


The Ransomware Survival Handbook

Learn how to recover quickly and effectively (and not get hit again)

Get my handbook


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.