When looking back from a cybersecurity point of view, 2016 was a banner year for ransomware. It dominated the headlines starting in February with the highly publicized attack on the Hollywood Presbyterian Medical Center and continued through up until year's end when service was interrupted for the San Francisco Transit Authority in December due to a similar outbreak. In fact, 4,000 computers were infected with ransomware every day of that year. (Ransomware doesn't only affect computers, see Why Android Anti-Malware Apps Are a Good Idea to learn more.)

Many people may be shocked to learn that ransomware is a billion-dollar industry, as that represents the total dollar amount in ransom paid throughout 2016. What is equally astonishing is the fact that only 24 million dollars in ransom was forfeited in 2015. If ransomware were a business, its rate of growth would be unprecedented and admired by many. Ransomware attacks have become so prevalent that Marcin Kleczynski, CEO at Malwarebytes said last year, “The problem of ransomware is now so bad that banks are buying cryptocurrency so that they're ready to pay off criminals if their files are held to ransom.”

According to a report released by the FBI in December 2016, over 40 percent of businesses experienced a ransomware attack, a 6,000 increase over 2015. Of those victimized organizations:

  • Almost 70 percent of enterprises who were victimized by hackers paid to retrieve their data
  • 50 percent of those paid more than $10,000 an incident to do so
  • 20 percent of those paid more than $40,000

The Remedy to Ransomware

Despite the horrific statistics concerning the exponential growth of ransomware, there was some good news concerning this malicious menace that plagued so many organizations. Thanks to those who were forced to counter these nefarious attempts of extortion, an antidote was discovered that could reverse even the worst-case ransomware assault. By taking this one corrective action, an enterprise has a get-out-of-jail-free card should that ominous day ever occur. This surefire remedy is a well-designed backup solution.

By backing up your data at regular intervals every day, your IT team can bring your data back from encrypted purgatory, circumventing the need to pay a high-priced ransom. Unfortunately, some companies such as healthcare or financial organizations cannot afford the downtime and may choose the fastest recourse, which is to simply pay the extortionists.Other organizations woefully discovered last year that their backup solutions were poorly designed and failed to restore properly. For those companies that took backups seriously and consistently tested their data restore processes, ransomware was reduced to an annoying menace that meant downtime and long hours, but nothing more. (For more on ransomware, see How Should Businesses Respond to a Ransomware Attack?)

How Ransomware Is Evolving into an Industry

When any business starts earning revenue streams of over a billion dollars within a year, it attracts money and talent. Ransomware is no different. Ransomware creators are currently attracting pools of investment dollars that are funding research and development in order to take ransomware to the next level in its evolution. The quest is to create a ransomware worm that can traverse networks in order to proliferate on its own without command and control intervention. A recent strain of ransomware called Spora that was discovered in January of this year comes one step closer to that goal in that it can be spread through the exchanging of USB drives.

Another disturbing trend is the establishment of distribution channels that mimic a multi-level marketing organization. Referred to as Ransomware as a Service (RaaS), cyber wannabees have an instant turnkey business with little investment. In some cases, ransomware startup kits can be purchased on the dark web for as little as $39 with other offerings going for up to $400. These distribution channels form a tiered hierarchy of 10–15 affiliates per boss or kingpin. A kingpin sells a ransomware kit to affiliates who then strive to deliver it to unsuspecting organizations or consumers. The paid ransoms are then split between the kingpin and affiliate with the affiliate garnering somewhere around 60 percent of the take. Another new strain of ransomware called Popcorn Time goes one step further in the recruitment of affiliates by offering its victims the opportunity to decrypt their data for free under the following guidelines:

“Send the link below to other people. If two or more people will install this file and pay, we will decrypt your files for free.”

By expanding distribution channels and boosting the number of attackers, ransomware attacks will become ubiquitous throughout enterprises, overwhelming IT teams and inducing them to simply pay ransoms rather than continuously restore backups.

How New Ransomware Strains Are Countering Backups

Obviously it is the goal of ransomware creators to circumvent the effectiveness of backup solutions and increase their payoff percentage. Three strategies have been recently revealed which are accomplishing this sinister objective.

The first approach is to slow down the rate of encryption. Traditionally, once the malware is implanted and activated within the network, it instantly sets out to encrypt all discovered data and alert the victim. Using an entirely new strategy, the ransomware only encrypts about 3 percent of a silo’s data each day. The premise is that by encrypting a very small amount of data each day, the encryption process will go unnoticed. Every backup solution is based around a retention policy. For a small business, the retention policy may be seven days, meaning that a full backup is performed each day of the week. Once the next week comes around, the tape, which hosted last week’s backup, simply appends the new backup or records over the previous one.

The goal is by slowing the encryption process, organizations will unknowingly back up these encrypted files, making the backup copies just as useless as the data on the primary storage devices. Some of these new ransomware strains take up to 90 days to fully encrypt their targeted storage silo.

Another approach is to seek out backup systems. New advanced malware strains are designed to actually seek out the file extensions of well-known backup and archive applications and then target them and all data silos that they entail.

Finally, a new type of attack, referred to as doxware, delivers a one-two punch, combining the traditional encryption process with the actual uploading of the victims' data to an external storage silo managed by the hacker. With the decryption key in possession, the hacker can simply decrypt the captured data and assess its value. High-value data such as any financial information concerning a pending merger or acquisition could be used to extort even bigger payoffs as criminals threaten to release the obtained information. Cybercriminals especially like to target HR data such as salary and payroll details that could prove embarrassing for company management if released. In the case of individuals, compromising photos or emails could be seized and used as a bribery play to make a few quick bucks. In the case of doxware, restoring any encrypted data to its original state only alleviates half the problem.


One thing is certain: Ransomware will continue to evolve to incorporate more effective countermeasures to outwit any prevention programs enacted by IT teams. Just as the ransomware community is expanding R&D efforts, security vendors must also expand their energies as well in order to combat this billion-dollar problem that is trending in the wrong direction.