Data Protection Tool

2017-2018 Ransomware Statistics: 14 Trends to Watch  

Picture of Dale Shulmistra

Dale Shulmistra

Data Protection Specialist @ Invenio IT



The latest 2018 ransomware statistics reveal some encouraging signs that attacks are slowing down a bit. But it’s not time to let your guard down.

The 2017 WannaCry and NotPetya attacks were a wakeup call to businesses around the globe. But while some industries have made great strides toward improving their defenses, countless others remain unprotected.

Below, we look at some of the most eye-opening ransomware statistics from 2018 (some of which reflect data from 2017 that only recently became available).

1) Ransomware strains increased last year

The number of observed strains exploded in 2017. One study found there were more than four times as many variants than in the same period one year earlier. However, the number of ransomware families dropped, which is welcome news.

This signifies that ransomware developers are indeed hard at work testing new strains, trying to penetrate vulnerable systems around the globe. But the overall innovation is slowing down: a drop in ransomware families means a slowdown in the development of completely new attacks.

Source: Proofpoint via Barkly; Symantec

2) Payloads dropped significantly in Q4

Cybersecurity experts noticed something interesting in late 2017. Ransomware payloads suddenly dropped off a cliff (at least in comparison to a few months earlier). In June 2017, ransomware accounted for 70% of all malware payloads, according to Malwarebytes. But by early 2018, that number dropped to only 5%.

Don’t get your hopes up. Experts say these rates will likely increase again in the future, possibly just as sharply as they declined. Additionally, the sudden drop in ransomware coincided with a big increase in other forms of malware, like cryptomining (or cryptojacking), which silently uses your system resources to mine cryptocurrency. Keep an eye on that trend in the months ahead.

Source: Malwarebytes

3) Ransom demands were cut in half

At the beginning of 2017, ransomware demands were averaging $1,077 – a three-fold increase over 2016. But by early 2018, those demands dropped to $522.

Some experts say the drop is a “market correction,” a natural result of the proliferation of ransomware. Generally, attackers don’t bother asking for huge sums of money, because it lowers the probability that victims will be able to pay.

However, while average demands have decreased, we’ve seen the high end of this scale reach insane new heights over the last year. In one instance, in June 2017, South Korean Web hosting company Nayana paid their attackers $1 million in Bitcoin to get their data back. And according to a 2017 report by Datto, 2% of surveyed MSPs reported that ransom demands on their business clients were $15,000 or higher.

Source: Symantec

4) $6 trillion in losses expected by 2021

Ransomware and other cybercrime are projected to cost the global economy $6 trillion per year by 2021.

For perspective, that’s 7.5% of the total value of the global economy! The group that released this estimate is calling it “the greatest transfer of economic wealth in history … more profitable than the global trade of all major illegal drugs combined.”

Source: Cybersecurity Ventures via The Weekly Standard

5) Every 40 seconds, another business was attacked

Data from last year shows that businesses were attacked at a rate of every 40 seconds, on average. Think about it: every 40 seconds, another company is infected with ransomware.

Even if these numbers remain on decline in 2018-2019, the threat is still enormous. Organizations are still being attacked daily, and all it takes is one attack to freeze your operations.

Source: Kapersky via Barkly

6) More than 1,200 detections per day

In 2017, Symantec recorded an average of 1,242 ransomware detections per day, not including the WannaCry and NotPetya attacks. This is on par with findings from 2016, when 1,271 detections per day were recorded.

So while detections did not see an increase, they remained at an elevated level—especially compared to 2016, when Symantec saw an average of 933 detections a day.

Source: Symantec

7) 22% of victims had to halt operations

Roughly 22% of ransomware victims had to cease business operations after being hit with ransomware, according to data from Malwarebytes.

No surprises here. Even when you have backups, a successful ransomware infection can grind your operations to a halt. And the longer you stay down, the harder (and more costly) it is to recover.

Source: Malwarebytes

8) 1 in 6 experienced 25+ hours of downtime

How devastating is 25 hours of downtime? Just ask the numerous businesses who experienced it last year after being infected by ransomware.

In a survey of 1,000 small and medium-sized businesses, 1 in 6 organizations said their operations were frozen for 25 hours or more. 90% of businesses said their downtime lasted at least an hour. Even one hour of inactivity can cost small companies as much as $8,581 per hour.

Source: Malwarebytes

9) Recovery costs are outweighing ransom demands

In March 2018, the City of Atlanta was hobbled by a SamSam ransomware attack. SamSam is one of the most successful attack rings, which already extorted more than $1 million from 30 victims in early 2018 alone. In this particular case, the group asked for $52,000 in Bitcoin.

Atlanta officials haven’t said whether they paid the ransom, and the attackers quickly took the payment portal offline anyway. But one thing is clear: recovery was a nightmare. The city spent more than $2.6 million on efforts to respond to the disaster and restore government services.

The June 2017 NotPetya attack on FedEx’s Dutch unit was even more devastating. The company said the attack slashed $300 million from its quarterly profit, forcing it to lower its full-year earnings forecast.

This is a common problem in ransomware attacks. When businesses aren’t prepared, the downtime and recovery costs far exceed the cost of the ransom.

Source: Wired; Reuters via Insurance Journal

10) Scare tactics are getting worse

Back in the good ol’ days, attackers would simply encrypt your files and demand money to decrypt them. But lately, they’ve been upping the ante.

New strains like BitKangeroo not only lock you out of your files, but also permanently delete them, one at a time, until you pay up. It’s a scare tactic designed to make you forgo other options and shell out the Bitcoin ASAP. Also, it reveals that new strains of ransomware are increasingly designed to do other destructive things on your computer, besides just encrypting files.

Source: Forbes

11) The top 10 industries were attacked

No industry is safe from the threat of ransomware. So it’s no surprise that the top 10 sectors each saw their share of attacks last year.

In fact, ransomware hit 15% or more of businesses in each of those top 10 industries. Those industries include education, IT/Telecom, Entertainment/Media, Financial Services, Construction, Government/Public, Manufacturing, Transport, Healthcare and Retail.

Source: Kapersky via Barkly

12) Heatlhcare and manufacturing were hit hardest

Datto conducted a recent survey of 1,700 managed-service providers (MSPs), who together serve 100,000+ businesses around the globe. Their answers shed light on which industries are being hit hardest by ransomware.

48% of MSPs responded that their manufacturing and construction clients had been attacked in the previous year. 28% said the same about their healthcare clients. By comparison, only 9% said their government clients were attacked.

Source: Datto

13) Targeted attack groups are on the rise

Most ransomware attacks are wide-scale campaigns, launched indiscriminately at whichever businesses or individuals take the bait (i.e. by opening a malicious email, clicking a bad link, etc.). But some attacks are targeted at specific businesses and industries, launched by organized cybercriminal groups, rather than a single hacker.

Symantec says these groups are increasing. In 2017, the company became aware of 29 new targeted attack groups, totaling 140 to date. Their attacks include not just ransomware, but other forms of malware as well.

Source: Symantec

14) Nation-state actors are getting involved

What’s worse than a ransomware attack launched by a savvy hacker? An attack launched by a whole government.

Last year’s two big ransomware attacks appeared to have been organized by nation-state actors, like North Korea. While it’s too early to tell if this will continue to be a trend in 2018 and beyond, it does show that governments have begun adding ransomware to their arsenal or cyberwarfare. The goal of such campaigns is often disruption and distraction, not ransom.

The problem is worsened by the fact that state-sponsored attacks can often inform other cybercriminals on how to launch a more effective attack. That was the case with the 2017 Bad Rabbit ransomware attack, which took cues from WannaCry and NotPetya, but was launched by independent actors, not nation states.

Source: Recorded Future

Defend your organization against ransomware

Get more information on protecting your business from ransomware and other data threats. Request a free demo to see how Datto’s data backup and recovery solutions can automatically detect a ransomware infection and help you rapidly recover your data in an attack. Contact our business continuity experts at Invenio IT by calling (646) 395-1170 or emailing

New call-to-action
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles