5 Ransomware Trends to Watch in 2018

Posted: 6th March 2018

Last year, I published my predictions for ransomware trends, some of which turned out to be correct — others, not so much. For example, ransomware becoming part of a number of different attack groups’ toolsets and the continued growth of fileless malware were accurate predictions. On the other hand, predicting a rise in ransomware designed to publicly shame victims as well as ransomware declining because of law enforcement actions were incorrect. While ransomware _ is_ on the decline, that is more because organizations and security vendors have gotten better at stopping it earlier in the attack chain process.

Given that we’re already a few months into the new year, I thought it would be a good idea to provide an update on ransomware trends for 2018.

1. Opportunistic ransomware is generally on the decline. Ransomware worked well for so long because bad guys made money — and made money quickly — from ransomware campaigns. Starting in 2017 and continuing into 2018, there has a been a steady decline in ransomware campaigns. The reasons for that are twofold, but interconnected:

  • Exploit kits (EK) have virtually disappeared. The EK market has always been volatile, but as one EK faded away, there was generally another one to take its place. That has not been the case. As the big EKs of 2016 and 2017 — Sundown, Neutrino, and RIG — have fallen off, no new EKs have stepped in to fill the void. This has occurred, in part, because there are fewer zero-day browser exploits to use in these EKs, rendering them less effective. Of course, this is somewhat of a “chicken and an egg” problem. The most popular zero-day exploits in years past were those targeting Adobe Flash. However, Adobe Flash installations are at an all-time low, so there is a much smaller attack surface, meaning that even if there were a large number of Adobe Flash zero-day exploits, there would be fewer victims to target. With fewer active EKs, there are fewer delivery mechanisms for ransomware, forcing attackers to rely more heavily on phishing campaigns, which are becoming less effective.

  • The EKs that are still around, such as RIG, have switched to delivering cryptocurrency miners rather than ransomware.

In general, there has been a move away from ransomware to cryptocurrency miners, largely for the same reasons that led to the rise of ransomware in the first place. At this point, cryptocurrency miners are more profitable than ransomware. They are also more difficult to defend against. Organizations have gotten better at securing their networks to prevent successful ransomware attacks, but blocking cryptocurrency miners is a much bigger challenge. Until the security community catches up, cryptocurrency miners will continue to be profitable for attack groups.

2. There will still be some industries that are targeted.

Some industries are still being targeted, and will continue to be targeted by ransomware campaigns. Industries like healthcare, and more specifically, hospitals, have continued to be lucrative targets for attackers. The image below shows that hospital attacks have not abated recently, but instead, they continue to move along at a steady pace and continue to be effective.

This is part of the trend mentioned last year that has continued: “Ransomware will become just another tool in the hacker utility belt.” While overall cybercriminal-based ransomware attacks are on the decline in 2018, ransomware is still used on a case-by-case basis, rather than large-scale ransomware campaigns.


Ransomware attacks on hospitals continue to rise.

3. Boutique ransomware campaigns will continue.

While large-scale ransomware declined toward the end of 2017, the balkanization of ransomware continues to increase. There are ransomware campaigns happening, but they are reaching smaller audiences. At the end of January 2017, Recorded Future was tracking 635 different ransomware variants, while at the end of February 2018, we were tracking 1,105 different variants. That is a 74 percent increase in the number of variants we were tracking, in just 13 months.

2015, 2016, and early 2017 saw the emergence of a few widely distributed ransomware campaigns like Locky and Cerber. While these ransomware variants are still being distributed, albeit on a much smaller scale than in previous years, there has been a growth in other ransomware families that pop up for a few weeks or months, and then disappear.

These new, smaller campaigns are generally distributed to hundreds of thousands of potential victims, rather than tens of millions at a time. This trend will continue in 2018, as malware developers look to continue to add ransomware to newly discovered attack techniques.

4. The line between cybercriminals and nation-state attacks will continue to blur.

In 2017 I wrote, “Similarly, there will not be a Mirai-style botnet installing ransomware.” I was partially correct. While there was not a Mirai-style botnet installing ransomware, 2017 did see the rise of the so-called ransomworm, with WannaCry, NotPetya, and Bad Rabbit leading the way. These worms were interesting for two reasons:

  • The sheer amount of damage and destruction they were able to cause in a very short period of time.
  • They demonstrate the interplay between cybercriminal organizations and nation-state actors.

WannaCry and NotPetya were not criminal campaigns. They were, at best, distraction campaigns, and at worst, destruction campaigns. They both appear to have been launched by nation-state actors using what had traditionally been cybercriminal tools. But, even in nation-state-style attacks, ransomware can be an effective tool in disrupting operations. While the nation-state actors may not care about collecting the ransom, they certainly care that their targets are unable to access their files and that their workflow is disrupted for days or weeks, or in some cases, months.

On the other hand, Bad Rabbit appears to have been carried out by a cybercriminal, using techniques learned studying the WannaCry and NotPetya campaigns. This doesn’t just apply to ransomware — it is happening across all types of cyberattacks. Cybercriminals are learning from nation-state actors, while nation-state actors are learning from, and using the tools of, traditional cybercriminal activity. This trend will continue to grow in 2018, and beyond.

5. Ransomware as a service (RaaS) will continue to be popular.

The one area of ransomware that appears poised to remain popular is RaaS. RaaS allows attackers to rent ransomware infrastructure rather than develop it themselves. The attacker generally pays an upfront fee, and the author of the RaaS keeps a small percentage of each ransom paid. Generally, the rentee is allowed to set the ransom price and build the attack campaign.

RaaS is attractive to less experienced attackers because it allows them to get into the ransomware game quickly and painlessly, which leads them to believe that they can start making money quickly.

However, RaaS appeals to more experienced hackers as well because it guarantees them a revenue stream, selling the RaaS to inexperienced newcomers. In fact, the three most popular ransomware strains of 2018, GandCrab, Saturn, and Data Keeper, have all been RaaS ransomware families (see image below). Because there are always people looking to make a quick buck, and there are always those who are willing to take their money, it seems like RaaS will continue to thrive, at least through 2018.


Mentions of GandCrab, Saturn, and Data Keeper ransomware families.


While it won’t be as big of a menace in 2018 as it was in 2016 and 2017, ransomware will continue to be a threat to both individuals and organizations. Some industries, such as healthcare, will continue to be heavily targeted by ransomware campaigns, but most industries should expect to see a drop in ransomware, overall. That being said, some of the tools developed by the actors behind ransomware, including fileless malware and encryption techniques, will continue to be used by those actors, as well as others, in different types of attacks. Don’t be surprised if there are more state-sponsored disruption campaigns in 2018 using tools originally designed for ransomware attacks.