The volume of ransomware encounters is on a downward trend. Are we seeing the beginning of the end of this vicious threat?Unfortunately, a look at the attack vectors, the number of unique families released into the wild, and the improvements in malware code reveals otherwise.

Ransomware was arguably the biggest security story of 2016. It certainly was one of the most prevalent threats. Our monitoring of the ransomware ecosystem in 2016 shows:

  • Every quarter, more than 500 million emails sent by spam campaigns carry ransomware downloaders that attempt to install ransomware on computers
  • These ransomware downloaders found their way into 13.4 million computers
  • On the other hand, 4.5 million computers were exposed to the Meadgive and Neutrino exploit kits, whose primary payload is ransomware
  • All in all, the ransomware payload of these spam and exploit kit campaigns were observed in 3.9 million computers in 2016

The impact of ransomware attacks extended beyond consumers as businesses and the public sector fell victim to the threat. Mainstream news coverage of attacks, including stories of a California hospital paying ransom to restore important medical files and the interruption of the San Francisco transport system, injected ransomware deeper into mainstream consciousness. In September, a Europol report cited ransomware as the biggest cyber threat, overtaking data-stealing malware and online banking trojans.

Interestingly, data from Windows Defender Antivirus shows an interesting trend: after peaking in August, when 385,000 encounters were registered, ransomware encounters dropped almost 50% in September, and it has continued to decline.

Figure 1. Monthly encounters of ransomware payload files, excluding downloaders and other components; some industry figures combine the two

Does this trend signal that we are seeing the end of ransomware? A look at other areas of the ransomware ecosystem reveals otherwise.

(Note: This blog post is the second in the 2016 threat landscape review series, following a review of exploit kits. The series looks at how major areas in the threat landscape are evolving. In future blogs, we will look at how support scam malware and macro malware transformed in the past year.)

Read more: