Posted: 3 Min ReadExpert Perspectives
Translation: Português, BrasilEspañol

Ransomware Activity Declines, But Remains Dangerous Threat

Despite the recent falloff, Symantec’s latest Internet Security Threat Report finds that attacks against enterprise, mobile users remain sources of concern

A year or two ago, you could be forgiven if you thought the entire Internet was awash with ransomware. In 2016, researchers identified 98 new ransomware families, up from just 30 the prior year. Then, in 2017, the massively destructive WannaCry and Petya ransomware attacks garnered headlines around the world.

Lately, by contrast, it might seem as if ransomware has all but disappeared from the news. It turns out there is some reason for this attack form’s suddenly lower profile. During 2018, the number of ransomware infections actually fell by 20% compared to 2017, according to Symantec’s 2019 Internet Security Threat Report (ISTR). Furthermore, only 10 new ransomware families appeared during 2018.

Behind these encouraging statistics lie some sobering facts, however. Within the overall drop in ransomware activity, Symantec recorded a 12% rise in ransomware attacks against enterprise targets. As notable: mobile ransomware infections increased by 33% during 2018.

Even the overall 20% drop in ransomware activity during the year must be considered in context, because 2017 was the highest year on record for this type of attack. “There was still more ransomware activity in 2018 than in 2016,” cautions Dick O’Brien, principal editor with the Symantec Security Response organization. “Ransomware remains a serious and dangerous threat.”

That fact was evident with a series of attacks by the so-called SamSam ransomware during 2018. Symantec found evidence of SamSam attacks against 67 targets last year, nearly one-quarter of them healthcare organizations.

Within the overall drop in ransomware activity, Symantec recorded a 12% rise in ransomware attacks against enterprise targets.

One of the most visible attacks associated with SamSam hit the city of Atlanta on March 22, 2018. With multiple municipal computers encrypted by the ransomware, more than one-third of the 424 software programs used by Atlanta were thrown offline or partially disabled by the attack. Atlanta said it didn’t pay the $51,000 in bitcoin the attackers demanded for the release of encrypted data, but the city’s clean-up costs in the attack’s aftermath were expected to run over $10 million.

This huge remediation expense makes clear one of the realities of any ransomware attack: even if the victim doesn’t meet the attackers’ demands, the cost of dealing with the damage caused can be staggering. “For enterprise with hundreds or thousands of computers, it can be tremendously disruptive and expensive to recover from a ransomware attack, even if you have the data that the attack encrypted backed up,” notes O’Brien.

Still, as the decline in ransomware activity last year suggests, there are positive trends underway in this area. More consumers are backing up their data in the cloud, so can recover it if the data on their device is maliciously encrypted. Growing numbers of law enforcement prosecutions against ransomware attackers are having an impact. And cyber security vendors are getting better at detecting and blocking ransomware itself.

These improving defenses have helped drive a decline in the prevalence of ransomware attacks mounted with the aid of Web-based exploit kits. Instead, email campaigns that use spear phishing and other methods to ensnare victims became the primary method of distributing ransomware in 2018, according to Symantec’s ISTR.

Meanwhile, the sheer volume of all forms of malware is driving increased reliance on new defensive technology and techniques. “Traditionally, we’d block malware by getting  a sample, making a ‘fingerprint’ of it, and getting a report if it was identified,” O’Brien says. “Now there’s so much malware, that process of manually fingerprinting isn’t efficient enough.”

Email campaigns that use spear phishing and other methods to ensnare victims became the primary method of distributing ransomware in 2018, according to Symantec’s ISTR.

Instead, Symantec is turning to technologies such as behavioral analysis and machine learning to block ransomware earlier in the infection process. Symantec can tap a massive pool of data from its global customer base to present machine learning algorithms with both known malware and potentially suspect code. “The more malware machine learning sees, the more attuned it gets, and the more able to create new fingerprints on its own,” O’Brien says.

As with most cyber attacks nowadays, ransomware assaults typically occur in combination with other attack techniques. For example, the SamSam ransomware attacks also leveraged living off the land tactics, using operating system functions or common administrative tools to explore and compromise victim’s networks and systems.

Whether a pure ransomware assault or part of a hybrid attack, ransomware remains a significant threat across the cyber landscape. Organizations shouldn’t be lulled into a sense of complacency about this type of threat just because it no longer hits the headlines as often as in the recent past.

Symantec Enterprise Blogs

2019 Internet Security Threat Report (ISTR): The New Threat Landscape

As ransomware shows early signs of decline, new forms of attack emerge to take its place. Stealthy techniques allow attackers to fly under the radar, placing enterprises at increasing risk. Join us as we discuss these trends.

Sign Up for Webinar
Symantec Enterprise Blogs
You might also enjoy
4 Min Read

ISTR 2019: Cyber Criminals Ramp Up Attacks on Trusted Software and Supply Chains

Living off the land and supply chain attacks have been around for years, but spiked significantly in the past year

About the Author

Dwight B. Davis


In his 40-year career as a computer industry journalist/analyst, Dwight has written hundreds of articles and research reports about cutting-edge technologies, market trends and vendor strategies. Much of his recent focus has been in the area of cyber security.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.