Malware, Ransomware

Ransomware Is Only Going to Get Worse: Four Trends to Watch

Over the past year, ransomware garnered widespread attention among researchers and the general public alike, with three major attacks inflicting notable damage. WannaCry used a Windows exploit to spread across the globe, infecting computer systems in more than 150 countries with serious real-world impacts to businesses, most notably shutting down hospitals throughout the United Kingdom. NotPetya and Badrabbit also spread aggressively and took out systems most densely clustered in Russia and surrounding states.

While these ransomware attacks stand out because they were widespread, self-propagating, and suspected to be connected to nation-state cyber operations, “traditional”, criminally-motivated ransomware remains a massive problem affecting individuals and companies across the globe. Pinning down exact numbers is difficult, but there is clearly significant expansion and impact in terms of the number of different ransomware strains (by some accounts tripling from 2016 to 2017), infection rates, and exponentially increasing costs (predicted in excess of $5 billion in 2017, up from $325 million in 2015 and an estimated $1 billion in 2016), according to Cybersecurity Ventures.

The ease of execution and overall success rate of ransomware attacks — U.S. victims pay roughly 64% of the time — has made it an attractive tactic for anyone looking to make significant sums of money online. Rather than going after a single, high-profile target for a big score or selling credit card numbers and personal information on the dark web for cents per record, attackers employ ransomware to go after a wide swath of targets, sometimes for small amounts of money per target but for massive hauls in total.

What should we expect going forward over the next several months, years, and beyond? Unfortunately, we will not see a drop in scope and impact of this activity. We likely won't even be lucky enough for the status quo to continue. We should anticipate new strategies and tactics in addition to what we see today. I anticipate four major trends.

Continued Targeting of You and Me

This is the easiest prediction to make, but it must be said: criminal attackers will continue to win. We will continue to see widespread spam and drive-by-download attacks targeting average Internet users and corporate users. Attackers of all kinds can exploit vulnerabilities in third-party applications or operating systems, or simply leverage legitimate system features like Office macros and Powershell to infect systems. Consumer and enterprise anti-malware solutions haven't slowed down or stopped this phenomenon. Users will continue to be tricked into executing ransomware by clever attackers, and typical protections such as anti-virus will continue to systematically fail in our rapidly evolving ransomware ecosystem.

Individual users can and sometimes are protecting themselves through better Internet safety practices (Don't Click!) and backing up data, but massive numbers of people will still be forced to decide between paying up and losing data and systems to criminals. Users who want to maximize their ability to prevent ransomware should keep software up to date through patching, backing up their data, turning on their firewall, installing anti-virus, and configuring script blocking capabilities in the browser. 

Pay Up or Be Exposed

The general public (the primary target of ransomware attacks) is getting smarter about backing up their data, which is reducing the need to pay in those cases. This has forced attackers to think about other ways to monetize access to your computer. 

Because of this, we can expect more ransomware attacks that aren't just about data encryption, but instead are about doxxing, or exposing sensitive information about individuals. In an attack of this sort, rather than encrypting the data so you can't access it, attackers blackmail you by threatening to release the information to people you know or globally if you don't pay the ransom. Doxxing can come in the form of exposing compromising emails, photos, videos, or other information which may be secret or embarrassing. Beyond personal information, this can have serious consequences for both private and public companies hoping to protect sensitive information and intellectual property.

These days, collecting this kind of data and exposing it is increasingly easy for attackers. Automation has greatly facilitated the exposure of the right information, making this scale. As an added bonus for the attacker, the incentive to avoid embarrassment or more significant consequences by paying a large sum could be higher than in many data encryption scenarios.

Collateral Damage and Deception

As a growing list of nation-state affiliated groups deploy destructive attacks, we will see more actors combining their malicious attacks with ransomware. This tactic allows attackers to sow confusion about attribution, mask the true intended target(s), or destroy forensic data to make post-breach investigation and attribution more difficult. This is an entirely viable strategy due to the similarity between ransomware and an effective destructive attack - just don't bother saving the encryption key or otherwise allowing reversal of the encryption (as some attacks have not) and you have a basic but effective destructive cyber attack. Deliver your propagating destructive malware disguised as ransomware to the true target in addition to others, and it becomes difficult to piece together what happened and why. Your target will often be knocked offline. You win. This strategy proved effective in 2017—KillDisk and NotPetya were two prime examples—and we should expect to see more of this in the future as aggressive nation-state groups continue to push the envelope.

Cryptocurrency Gold Rush

Bitcoin, by far the most common cryptocurrency and preferred method of payment for ransomware attackers, rose significantly in value last year. The values of other cryptocurrencies such as Ethereum, Litecoin, and Ripple have also increased by absurd percentages in the thousands, and new coins with billion dollar market caps are appearing out of thin air as speculators rush in, driven by fear of missing out on the next big thing.

Ransomware attackers can take advantage of this gold rush in cryptocurrency by adjusting their payment demands depending on the latest cryptocurrency returns to maximize their profits. For example, if an attacker sees the price of Litecoin sharply rising over a certain period of time, they may see a greater short-term benefit in collecting that currency rather than Bitcoin, and then transitioning to another rising currency for their next campaign. An attacker could even look to bump returns on existing wallets, perhaps spiking demand and thereby increasing coin values depending on the extent and range of their attack.

Ransomware attackers may additionally leverage their compromised hosts for cryptocurrency mining purposes, or even completely transition away from ransomware and over to mining campaigns if they see a greater potential for profit. The involvement of nation-states in cryptocurrency-related attacks and manipulation efforts will likely affect the proliferation of ransomware and the currencies being solicited. Nation states subjected to economic sanctions (i.e. North Korea) could also potentially look to ransomware and cryptocurrency mining and speculation for alternative, if not more attractive, revenue streams.


Ransomware is not going away. We can expect that criminals will continue launching successful, widespread attacks, that criminals may begin doxxing their targets, that ransomware could be used in tandem with destructive attacks, and that cryptocurrencies will add a new element to how criminals demand payment. Looking ahead, these kinds of targeted attacks will only increase and adapt in pace with technological innovation and the broad evolution in attacker intent, delivery, and demands.

Mark Dufresne

Mark is responsible for Elastic Endpoint Security’s efforts to understand cyber threats and develop innovative capabilities to detect and prevent malicious adversary techniques. Mark has over 12 years of experience in offensive and defensive cybersecurity as an Operations Chief and Manager at the National Security Agency. As the leader of a diverse range of cyber operations, Mark spearheaded efforts to defend against the global range of cyber adversaries, with a focus on disrupting and mitigating targeted nation state cyber activities. Mark was also a major advocate and coordinator for a variety of intelligence sharing and collaboration efforts across the US Government to improve cyber defense and prevention capabilities across the community. Mark earned his BS in Computer Science from the University of Minnesota and his MS in Security Informatics from Johns Hopkins University.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.