Ransomware by the numbers: Reassessing the threat’s global impact

[harlan4096]

Kaspersky has been following the ransomware landscape for years. In the past, we’ve published yearly reports on the subject: PC ransomware in 2014-2016, Ransomware in 2016-2017, and Ransomware and malicious crypto miners in 2016-2018. In fact, in 2019, we chose ransomware as the story of the year, upon noticing the well-known threat was shifting its attention to municipalities. In the 2010s, with campaigns like WannaCry and NotPetya, ransomware became mainstream news. However, starting in 2018, we began noticing something else: the statistics for the overall number of ransomware detections were on a steep decline. What was happening? Was ransomware, in fact, a dying species of malware?

For anyone following the news in the infosecurity community, this seemed unlikely. In 2019 and 2020, stories of ransomware attacks made front-page headlines, from Maze attacking LG to the infamous APT group Lazarus adding ransomware to its arsenal. In the United States alone in 2020, ransomware hit more than 2,300 government entities, healthcare facilities and schools, according to the security company Emsisoft.

So, what’s the story?

Ransomware hasn’t disappeared; the threat has just undergone a fundamental shift. Widespread ransomware campaigns have been replaced with highly targeted, destructive attacks, often aimed at large organizations. In addition, attackers appear to be more focused on exfiltrating data as well as encrypting it, i.e., siphoning off confidential information and threatening to make it public if the victims refuse to pay. All of this is done with the aim of launching fewer attacks, each with a far larger payout, rather than collecting smaller amounts from a massive number of victims.

In this report, we’ll take a look at the numbers behind the ransomware threat from 2019 to 2020, what they mean — and what they foretell about ransomware’s future.

Key findings

• In 2020, the number of unique users that encountered ransomware on their devices was 1,091,454, a decline from 1,537,465 in 2019.
  
• In 2019, the share of users targeted with ransomware among the overall number of users that encountered malware was 3.31%; this declined slightly in 2020 to 2.67%.
  
• The share of ransomware detections among the overall number of malware detections was 1.49% in 2019 and 1.08% in 2020.
  
• In both 2019 and 2020, WannaCry was the most frequently encountered crypto-ransomware family on Windows systems.
  
• In 2019, the number of unique users that encountered ransomware on their mobile devices was 72,258. This number declined to 33,502 in 2020.
  
• However, the share of unique users that encountered ransomware on their mobile devices among the overall number of users that encountered malware held steady between 2019 and 2020 at 0.56%.
  
• From 2019 to 2020, the number of unique users affected by targeted ransomware families increased by 767%.
  
• By far, the industry that contained the greatest share of targeted ransomware attacks was engineering and manufacturing, at 25.63%.
  

Methodology

This report has been prepared using depersonalized data processed by Kaspersky Security Network (KSN).

There are two main metrics used. The first, unique users, refers to the number of distinct users of Kaspersky products with the KSN feature enabled who encountered ransomware at least once in a given period. The second is detections, which is the number of ransomware attacks blocked by Kaspersky products over a given period.

The report also includes research into the threat landscape by Kaspersky experts.

Kaspersky products detect various types of ransomware. These include crypto-ransomware (malware that encrypts your files), screen lockers, browser lockers, and boot lockers. Unless otherwise stated, statistics refer to any type of ransomware.

Ransomware across all platforms

As Kaspersky has previously noted, the total number of ransomware detections has been steadily declining since 2017. This is a trend that has continued through 2019 and 2020.

In 2019, the total number of unique users that encountered ransomware across all platforms was 1,537,465. In 2020, that number fell to 1,091,454 — a decrease of 29%.

In fact, for each month in 2020, the number of unique users that encountered ransomware across all devices was lower than the number observed during the same month in the previous year. In both years, the number of users that encountered ransomware was relatively stable — hovering between 100,000 and 170,000 in 2020 and between 150,000 and 190,000 in 2019 — with the exception of July 2019, when there was a noticeable spike. This was driven by an increase in two ransomware families. The first, Bluff, is a browser locker, meaning victims are confronted with a fake tab — one they are unable to exit out of — that threatens dire consequences if a certain amount of money is not paid. The other was Rakhni, a crypto-ransomware that first appeared in 2013 and was distributed primarily through spam with malicious attachments.

The share of unique users that encountered ransomware out of the total number that encountered any type of malware across their devices also declined, from 3.31% in 2019 to 2.67% in 2020. However, the share of ransomware detections out of the total number of malware detections held relatively steady, declining only slightly from 2019 to 2020, from 1.49% to 1.08%.
...

Continue Reading