Ransomware Trends

Ransomware is malware that blocks your access to your files or actually steals them. Criminals either encrypt or remove your files from your computer until you pay them a ransom.

Ransomware attacks are growing at an alarming rate. Every 10 seconds, a consumer gets hit with ransomware and every 40 seconds, a business is attacked with ransomware. It is estimated that ransomware will cost $5B in 2017.

Payment demands are just part of the problem. The real issue is the impact on individuals and businesses. Over half of companies that were attacked by ransomware experienced disruptive downtime and a significant percentage of businesses were forced to shut down. Loss of data ranges from family photos to important business records. Cybercriminals are increasingly targeting hospitals with ransomware. They know if they lock up data that patient health may be compromised and hospitals are more likely to pay ransoms to avoid that risk.

Unfortunately, many victims of ransomware do not get their data back even if they do pay a ransom. Of the victims that paid ransom demands, survey data indicates only one in four receive a working key to decrypt their files.

The threat of ransomware is evolving from the demand to pay to recover files to the threat to publicly release files to embarrass the victim. The hacker slang for this tactic is known as doxing – derived from the word documents. Examples of doxing could include hackers threatening to release new episodes of popular shows, medical records, or pictures and information about your family. For organizations that manage sensitive private customer data (healthcare providers, law firms, financial services, etc.), the threat of that data getting posted online for the world to see (and for other criminals to abuse) can completely change the equation of whether or not they decide they have to pay.

Everything about ransomware is getting worse: the frequency of attacks has grown 15X in just 2 years, the average ransom demanded by criminals is doubling annually, and ransomware attacks have become more sophisticated and harder to detect.

The growth of ransomware is driven by financial motivations of cybercriminals. Hackers have built a business model using the dark web. Developers of ransomware recruit other criminals using what has been called Ransomware-as-a-Service (RaaS). RaaS is a business model used by hackers to recruit other bad actors to distribute ransomware more broadly, and share the profits from the ransom payments. Typically, ransomware authors keep 30% of the ransom payment, and distributors retain 70%.

While the initial focus of ransomware was on individuals and small business, cybercriminals are increasingly targeting larger enterprises, government and education. This is because businesses are typically under more pressure than consumers, to rapidly restore their data and business operations.

The rise in popularity of cryptographic currency (such as Bitcoin) has facilitated the ability of criminals to collect payments from their victims anonymously in a manner that is a lot more difficult to track by authorities. Bitcoin is the predominant payment method demanded by ransomware attackers.

Until existing security solutions adequately prevent malware attacks and stop ransomware, the proliferation and growth of ransomware is likely to continue.