Stats & Trends
Jonathan Crowe
Jun 2017

Must-Know Ransomware Statistics 2017

Note: Looking for the latest stats? See our post, Must-Know Ransomware Statistics 2018

Ransomware continues to experience record growth in 2017. Here are the latest stats and trends you need to know to protect your company.

New variants. New attack tactics. The largest and most publicized ransomware outbreak we've seen yet. So far throughout 2017 one thing has been abundantly clear — ransomware is still dominating the world of security. 

Not only have we seen more attacks on more businesses demanding more money, the level of sophistication in distribution methods and attack vectors have expanded, as well. At the same time, new compliance mandates are adding to the cost of ransomware attacks, regardless of whether data is recoverable or whether the victim pays the ransom.

It’s enough to make companies of all sizes and industries sit up and take notice, because, unfortunately, the data also shows no one is immune.

To help you make better-informed decisions about how to protect your organization from ransomware and how to quantify your risk, we're sharing some of the most telling stats we could find charting ransomware’s growth and evolution in 2017.

A company is hit with ransomware every 40 seconds.

Tweet this stat


Source: Kasperksy Security Bulletin 2016

Businesses are seeing more ransomware attacks, more often

The number of ransomware attacks on businesses tripled last year, jumping from one attack every two minutes in Q1 to one every 40 seconds by Q3. While attacks against consumers are still more prevalent, the acceleration in attacks against businesses indicates more and more criminals are developing targeted campaigns and setting their sights on bigger scores.

6 in 10 malware payloads were ransomware in Q1 2017.

Tweet this stat


Source: Malwarebytes  

Ransomware is still the malware of choice.

Whether it was via a spam email or an exploit kit, if your company suffered an infection during Q1 2017 it was more likely to be ransomware than anything else. According to researchers from Malwarebytes, roughly 60% of malware payloads were ransomware, with the rest being a mix of ad fraud malware and small traces of everything else. 

In recent years, malware distribution breakdowns like these have been heavily influenced by whatever it is the major botnets are distributing. For the majority of 2016, the largest spam botnet, Necurs, was primarily used to deliver Locky ransomware via massive spam email campaigns. But as 2017 kicked off, Necurs was mysteriously quiet. And when it did return it wasn't distributing Locky, but rather distributing spam emails designed to drive pump-and-dump stock scams. In April 2017, Necurs switched back to distributing the Dridex banking trojan, which made an attempt to exploit a Microsoft Word zero-day vulnerability.

Later in May, Necurs was spotted once again distributing ransomware — this time a new variant called Jaff. At the height of these Jaff campaigns researchers at Forcepoint observed neary 5 million attack emails per hour. 

There were 4.3x new ransomware variants in Q1 2017 than in Q1 2016.

Tweet this stat


Source: Proofpoint Q1 2017 Quarterly Threat Report

It's never been easier to make your own ransomware.

Criminals continue to flock to ransomware, and there continue to be fewer and fewer barriers to entry for anyone so inclined to try their hand at digital extortion. The rise of the ransomware-as-a-service model has been a big factor, making it easier than ever for even novice cyber-criminals with the most basic technical knowledge to launch their own customized attacks

Copycat ransomware variants are also on the upswing, with "amateurs" mimicking more established ransomware families, often with sloppy and error-prone results.

Perhaps due to increased competition (not to mention increased attention from the security industry), some of the most established ransomware players have also been the most active. The authors behind Cerber — currently the most prominent ransomware family — have released updated variants every 8.4 days on average. The authors behind CrySiS and Dharma, meanwhile, have made it regular practice to release new versions and release the master decryption keys for old ones every few months. 

All told, the number of new ransomware variants has grown 30-fold since 2015. 

15% or more of businesses in the top 10 industry sectors have been attacked.

Tweet this stat


Source: Kasperksy Security Bulletin 2016

No industry is immune.

While some industries continue to be bigger targets than others, data shows that no sector is immune to ransomware attacks. Healthcare organizations continue to be high-profile victims — take, for example, the 47 NHS hospital trusts that suffered infections during the WannaCry outbreak — but over 20% of organizations in the Education, IT/Telecoms, Entertainment/Media, and Financial Services sectors have been recently hit, as well. 

According to IT services provider Intermedia, during the past year 48% of IT consultants have seen increases in ransomware-related support inquiries across customers in 22 different industries. 

1 in 4 businesses hit with ransomware have 1,000 employees or more.

Tweet this stat

Source: Intermedia

Companies of all sizes are getting attacked, too. 

Just as no industry is immune, organizations of all sizes — from enterprises to SMBs — continue to see more attacks thrown their way. The stats do suggest, however, that attackers are gradually shifting away from high volume “spray and pray” email campaigns to more tightly targeted and cleverly customized attacks aimed at larger companies with deeper pockets.

71% of companies targeted by ransomware attacks have been infected.

Tweet this stat

Source: Barkly

Attacks are actively bypassing security. 

Of the companies that have experienced ransomware attacks, 7 out of 10 have fallen victim to at least one that got past their security and successfully encrypted their files. Traditional security solutions are simply struggling to keep up with the incredible pace at which new ransomware variants are being produced.

As a result, some organizations are looking to new solutions that utilize machine learning and behavioral analytics to block ransomware during runtime, while others are simply assuming they'll be infected and are prioritizing response and recovery, instead (some even going as far as to stockpile Bitcoin in anticipation of paying off attackers). 

Nearly half of ransomware attacks infect at least 20 employees.

Tweet this stat

Source: Intermedia

Increasingly, the ransomware attack model is to land and expand. 

When ransomware attacks hit, they tend to come in waves that target multiple employees within a company. It's not uncommon for there to be multiple "patient zeros" who fail victim to the initial attack (a targeted phishing email, for example), but sometimes all it takes is one distracted person making one wrong click for an infection to take root and spread. Several ransomware variants are able to encrypt files via shared network drives, and some, like the polymorphic ransomware Virlock, actually infect the files they encrypt so that attempting to open them causes the attack to start up all over again.

More recent attacks like the WannaCry outbreak utilize worm components that allow them to spread to other hosts on the original victim's network, wreaking havok.

It's perhaps no surprise then to see troubling stats from Intermedia, which indicate 75% of ransomware attacks infect three or more employees and 47% infect at least 20. 

Phishing emails carrying ransomware dropped nearly 50% in Q1 2017.

Tweet this stat

Source: Proofpoint Q1 2017 Quarterly Threat Report

Trying to trick employees with phishing emails is so 2016. 

According to email security provider Proofpoint, last year seven out of ten malicious emails were delivering ransomware as a payload. Just three months into 2017, however, that percentage had dropped to 22% of malicious emails. So what gives?

One big reason for the dramatic drop-off is the fact that during Q1 the Necurs botnet was either silent or delivering other malware payloads. But another reason may be that, with users becoming more aware of how to spot phishing emails, criminals are turning to other delivery methods — some of which don't require any user interaction at all. 

Two thirds of ransomware infections in Q1 2017 were delivered via RDP.

Tweet this stat

Source: Webroot

Remote desktop is the new "in."

When most of us think of ransomware distribution methods the obvious ones that jump to mind are malicious emails and exploit kits. Both have long track records of success and both are centered around taking advantage of what's arguably the most easily exploitable part of any network — the end user. 

But so far this year, the majority of ransomware attacks aren't trying to trick users into download malicious email attachments or visit a compromised website. In fact, they're actually bypassing user interaction altogether. 

The WannaCry outbreak is a perfect example. In that case, attackers exploited security vulnerabilities in Microsoft's Server Message Block (SMB), a network file sharing protocol, to gain remote access to victim machines and execute the ransomware directly. No tricking users with disguised payloads necessary.

But while the spotlight is currently on securing SMB thanks to WannaCry — Microsoft even announced that it would be disabling SMBv1 in the fall — the truth is a similar attack tactic has been gaining steam for quite some time: infecting targets via Remote Desktop Protocol (RDP).

Attacks attempting to break in via SMB and RDP work in similar ways. First, attackers can simply scan the Internet for systems with open ports (port 445 for SMB; port 3389 for RDP). Tools like masscan, which can scan the entire Internet in under 6 minutes, make that easy. Once an open port exposing RDP is found, attackers typically attempt to brute force their way past weak or default passwords to gain execution. 

The groups behind Dharma, CrySiS, SamSam, Shade, Apocalypse, and other ransomware are all using RDP as an attack vector. From Q4 to January 2017, RDP attacks spreading CrySiS alone doubled

It's a relatively easy attack vector for most organizations to secure, but until more do criminals are going to continue to actively abuse it. 

The average ransom demand has risen to $1,077.

Tweet this stat


Source: Symantec 2017 Internet Security Threat Report

Demands are escalating.

The average ransom demand now tops $1,000, which is more than 3x the average demand in 2015. That jump corresponds with an increase in attacks specifically targeting businesses, and it's further indication that attackers are setting their sights on higher-value victims in search for larger paydays.

While the majority of ransomware attacks (and payments) go unreported, some notable examples of "big-ticket" attacks in the past 12 months include successful scores of $28,000 from Los Angeles Valley College and $21,000 from Madison County in Indiana, as well as a demand of $70,000 from San Francisco's Municipal Transportation Agency, which wasn't paid.  

1 in 5 businesses that paid the ransom never got their files back.

Tweet this stat

Source: Kasperksy Security Bulletin 2016

Paying up doesn't always work.

Adding insult to injury, among those who have paid ransom demands, 20% never retrieved their files. Attackers simply walked away with the money — some because they never intended to restore access to the victims' files, others because they were amateurs and never had the technical ability to do so in the first place. 

It should go without saying there's no honor among thieves, and in other cases organizations pay one ransom only to have the attackers turn right back around and demand a second one. That's exactly what happened to a Rhode Island law firm in a high-profile attack that cost them a total of $25,000 in multiple ransoms and $700,000 in lost billings due to the downtime caused by not being able to access their files.    

72 percent of infected businesses lost access to data for two days or more.

Tweet this stat


Source: Intermedia

Downtime is the real killer.  

While very few companies actually pay the ransom (less than 5% according to a Barkly survey), recovering encrypted files from backup and getting infected systems back up and running is still often easier said than done. According to Intermedia, nearly three out of four companies infected with ransomware suffer two days or more without access to their files. One third go 5 days or longer without access.

Results from an Imperva survey indicate each day without access can typically result in anywhere from $5,000 to $20,000 in lost business and damages due to downtime.  

Global ransomware damages are predicted to exceed $5 billion in 2017.

Tweet this stat

Source: Cybersecurity Ventures

Fueled in part by the $1 billion in damages inflicted by WannaCry in just the first four days, global ransomware costs are expected to exceed $5 billion this year. That’s a 15X increase over just two years ago, and doesn’t include actual ransom payments. 

Businesses are hit with ransomware every 40 seconds. Find out what you can do now to block the attacks antivirus will miss.

Stop ransomware with Barkly
Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


The Ransomware Survival Handbook

Learn how to recover quickly and effectively (and not get hit again)

Get my handbook


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.