Stats & Trends
The Barkly Team
Aug 2018

Must-Know Ransomware Statistics 2018


Ransomware is at a crossroads in 2018, with attacks decreasing in volume but increasing in sophistication. Here are some the latest stats and trends you need to know to ensure your company stays protected.

For the first time in years, ransomware is no longer the top payload of choice. The majority of criminal groups are switching to banking trojans and cryptominers, but those sticking with ransomware are upping their game. 

To help you make better-informed decisions about how to protect your organization from ransomware and how to quantify your risk, we're sharing some of the most telling stats we could find charting ransomware’s rocky evolution in 2018.

Ransomware is on the decline (for now)

Ransomware attacks fell nearly 30% over the past 12 months.

Kasperksy | Tweet this stat

After two years of explosive growth, ransomware has been dethroned as the #1 payload used in malware campaigns. Replacing it as the most prevalent type of malware in 2018: cryptominers. According to Kaspersky's Ransomware and Malicious Cryptominers 2016-2018 report, ransomware infections have fallen 30% over the past 12 months as cryptominers infections have increased 44.5% over the same time period.

So is ransomware the second-most prevalent payload? Not quite. Third most-prevalent? Guess again. According to the Malwarebytes Cybercrime Tactics and Techniques: Q2 2018 report, ransomware has dropped all the way down to the #6 spot, declining in popularity behind miners, banking trojans, adware, backdoors, and spyware. My, what a difference a year makes. In Q1 2017, six in 10 malware payloads had been ransomware. Now it accounts for less than 5%.  


So far ransomware has continued to decline in 2018. Source: Malwarebytes 

A variety of factors have contributed to ransomware's downward spiral, including overexposure and increased awareness (thanks in large part to WannaCry and other high-profile attacks), cryptocurrency volatility, and additional attention from law enforcement. But perhaps the biggest reason is also the simplest — with the majority of victims declining to pay, the attacks simply become unprofitable. 

In order to pull off a successful ransomware heist, the stars really have to align for attackers. Not only do they have to infect a victim who doesn't have reliable backups (or the time/resources required to use them), the victim also has to have quick and easy access to cryptocurrency, and be willing to put their trust in a criminal and pay them up front. Making matters more difficult, attackers also have to price their ransom demands just right. 

For criminals experiencing all these ransomware speed bumps, cryptomining malware gradually started looking like a stealthier, more effective alternative. As the price of Bitcoin skyrocketed during the latter half of 2017 many jumped in with both feet. According to the latest figures from Checkpoint’s Cyber Attack Trends: 2018 Mid-Year Report, miners have affected 42% of organizations worldwide in the first half of 2018 alone.

But don’t be too quick to write ransomware off completely. After months of being hailed as the new heir apparent, there are signs that the miner boom may be stalling. Malwarebytes reported at the end of Q2 2018 that use of miners had begun to fall, as well.


Use of cryptominers has roughly followed the price of Bitcoin and other cryptocurrencies. After exploding in late 2017, it has been declining in 2018. Source: Malwarebytes 

It's too soon to say anything definitively, but it does seem probable that criminals are realizing miners don't provide quite the same get-rich-quick potential that ransomware offered during its heyday, especially now that cryptocurrency valuations have come back down to earth.

Perhaps we’ll see the pendulum swing back in the other direction. Only time will tell.

Consolidation, rapid iteration, and increasing sophistication 

In 2017, the number of ransomware families dropped 71%, but the number of variants increased 46%.

Symantec | Tweet this stat

In addition to the overall decline in ransomware activity, the landscape also experienced major shakeups in terms of the types of ransomware active. During the latter half of 2017 established families like Locky, Cerber, and TorrentLocker — previously big players — all but disappeared from the scene. Major spam distributors like Necurs switched to deploying banking trojans in their high-volume campaigns. Overall, the number of active ransomware families plummeted, but the total number of new variants increased, meaning the ransomware operations that remained active pumped out more samples, more often. 


The ransomware ecosystem has consolidated around fewer players producing more variants than ever. Source: Symantec 2018 Internet Security Threat Report 

The ransomware still in heavy rotation in 2018 can essentially be split into two camps:

  1. Commodity groups: Think of the criminals behind GlobeImposter and ransomware-as-a-service platforms like GandCrab (currently the most prolific ransomware family). Volume and rapid iteration is the name of the game for these families, with the goal being to infect as many victims as possible (or, in the case of RaaS platforms, to help other criminals infect as many victims as possible) while constantly adapting and staying one step ahead of security.

  2. Targeted groups: These criminals are choosier about their victims, eschewing mass distribution in favor of zeroing in on vulnerable targets they believe may be more likely to pay out large sums (typically businesses, healthcare organizations, local governments, etc.). The attacks that these groups conduct tend to be more sophisticated, as well, often involving hands-on setup and reconnaissance. Following initial compromise, it's not uncommon for weeks or months to go by while attackers probe the network, identify assets and systems of value, and make other preparations to ensure when the ransomware is deployed it will have maximum impact. Perhaps the most notorious current example of a targeted ransomware operation is SamSam, which has been responsible for infecting a slew of healthcare and local government organizations this year, including the city of Atlanta, AllScripts, and LabCorp.  

In either case, the chances of ransomware payloads being detected and blocked prior to execution are becoming increasingly low. 

75% of organizations infected with ransomware were running up-to-date endpoint protection.

Sophos | Tweet this stat

The problem is that the commodity groups are pumping out new samples too fast for traditional signature-matching security solutions to keep up. It's trivial for criminals to ensure these samples include just enough superficial changes or obfuscation to help them slip past antivirus (AV) products undetected.

The targeted groups have become adept at bypassing AV, too, often utilizing polymorphic techniques to ensure each time their ransomware payloads are unpacked and executed, they're new versions of themselves that AVs don't recognize (see how the Colorado Department of Transportation was infected with two SamSam variants in two weeks).

Healthcare and finance are still top targets

Nearly half of reported ransomware incidents in 2017 involved healthcare organizations.

Beazley | Tweet this stat

On one hand, stats like the one above always need to be taken with a grain of salt. After all, one reason why healthcare organizations account for such a large percentage of reported ransomware incidents could simply be because they are one of the only types of organizations required to publicly disclose such attacks as data breaches. On the other hand, healthcare organizations are notorious for running legacy software on vulnerable, out-of-date systems, and they've developed a reputation for being open to paying ransoms as long as it means avoiding downtime and disruption to critical patient-related services. It's no coincidence that 85% of healthcare malware infections were ransomware in 2017 — a large number of those attacks worked. 


Healthcare organizations experienced nearly half the total number of reported ransomware incidents in 2017. Source: Beazley 2018 Breach Briefing 

According to the Beazley 2018 Breach Briefing, the healthcare sector experienced the highest volume of ransomware in 2017, with its proportion of attacks (45%) nearly four times that of the next most frequently targeted industries (financial and professional services at 12% each). Regardless of whether organizations in other industries are actually experiencing more attacks than they let on, the fact is healthcare continues to be a big target. 

As the Beazley report highlights, financial services is unsurprisingly another vertical that finds itself in the crosshairs as attacks become increasingly targeted. According to Carbon Black, 90% of financial institutions reported being the subject of a ransomware attack in 2017. Like hospitals and other medical groups, financial organizations are often more desperate to resolve an attack quickly because of the need to maintain privacy or simply to stay operational. That desperation combined with a lack of security preparation can lead to the hackers getting their ransom.

Ransomware attacks are getting more costly

The average cost per ransomware attack to businesses was $133,000 in 2017.

Sophos | Tweet this stat

While Symantec reports that the average ransom demand actually decreased in 2017 to $522 (less than half the average demand of $1,070 in 2016), that doesn’t come close to telling the full story of how much ransomware actually costs businesses. According to The State of Endpoint Security Today report published by Sophos, businesses lost an average of $133,000 in recovery costs following ransomware incidents. Cybersecurity Ventures estimates the global damage costs connected with ransomware attacks will reach $11.5 billion by 2019. The real culprit behind that astronomical sum isn’t the ransom, but rather the business-related costs like downtime, emergency response, and lost opportunities.

The following list of costs associated with ransomware attacks on local governments provides insight into how expensive recovery can be:

Spring Hill, TN, November 2017 

  • Ransom demanded: $250,000 (not paid)
  • Recovery costs: $100,000

Mecklenburg County, NC, December 2017

Colorado Department of Transportation (CDOT), March 2018

Atlanta, March 2018

Rockport, Maine, April 2018

Wasaga Beach, Ontario, April 2018

  • Ransom demanded: $34,950 (paid)
  • Recovery costs: Additional $37,181 on consultants

In addition to IT expenses, there are many other ways that ransomware attacks wreak havoc on municipalities including loss of vital services, records, productivity, tax revenue, and more. That also doesn’t take into account public backlash and outcry from voters. Businesses and other organizations are also subject to these costs and similar collateral damage of eroded public trust.

RDP continues to be an overlooked attack vector

There are currently 3 million endpoints with RDP connections exposed to the Internet.

Barkly | Tweet this stat

While spam emails may be the most common delivery vehicle for ransomware, exposed RDP connections are essentially a flashing neon "open" sign the criminals behind such operations as SamSam, Bit Paymer, CrySiS/Dharma, CryptON, LockCrypt, Matrix, and SynAck all find hard to resist. 

It's trivial for attackers to use publicly available tools (like Shodan) to identify exposed RDP connections and then conduct brute-fort attacks to gain access. Leaving an RDP connection exposed is essentially like leaving your backdoor open in a world where burglars can use an app to scan neighborhoods and identify which homes are prime for a robbery. Security researcher Kevin Beaumont describes the commonality of RDP brute force attacks in his blog post on RDP Hijacking, “Anybody who has set up a honeypot recently will know within seconds you will be getting hit with failed RDP logins. First they port scan, then thousands of login attempts arrive.” If your account isn't protected with a strong password or some form of multi-factor authentication it doesn't take long for them to push their way in. 

Of course, for a small price, attackers don't even need to bother with brute force attempts. They can simply head over to one of the many RDP shops on the Dark Web and purchase RDP access to a compromised machine from a criminals who's already done the initial legwork. According to research from McAfee, the more popular shops offer as many as 40,000 RDP connections for sale. 

How Barkly can help you stay protected as ransomware evolves


Barkly blocks ransomware before it has a chance to encrypt files or do any damage. 

The downturn in ransomware attacks is good news for everyone, but as these stats show, the threat hasn't gone away completely, it's simply evolved.

With attackers experimenting with increasingly sophisticated tactics and self-propagating techniques, it's more important than ever to block infections before they have a chance to take hold and spread. That's why Barkly's Endpoint Protection Platform has been designed to block not just ransomware payloads, but also the delivery and deployment techniques they rely on to launch.  

To find out how Barkly does it and how you can sabotage ransomware attacks before they start, download our free guide:


The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.


Want updates on the latest big changes in ransomware?

Join a group of 7,000 IT and security pros who get clear, actionable takes on malware and infosec news.



Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.