The 2018 Ransomware Trends That Will Keep You up at Night

APRIL 19TH, 2018

The art of the scam is nothing new. While ransomware attacks now fuel a continuous stream of breaking news, we only have to think back to the many distraught Nigerian princes—all who suffered the loss of their uncles and were desperate to find safe places to stash their unexpected inheritances—to remember how long these “spray and pray” campaigns have been around.

Of course, unlike those mail scams, which were limited in scope and fairly easy to spot, ransomware—and the technologies that are supporting its meteoric rise—are changing the game.

What do the experts at Arcserve and KnowBe4 have to say about 2018 ransomware trends, and how you might protect and recover your critical data?

Let’s dive in.

The 2018 ransomware trends on our radar

Ransomware attacks are growing more sophisticated by the day. The spelling and grammar issues that once alerted us to phishing emails are all but gone.

Today, ransomware technologies are not only more sophisticated but more accessible, too. And, with behavior science now creeping into the mix, phishing attacks are becoming more seductive, while refusing ransom demands, more difficult.

What ransomware trends should you be mindful of in 2018?

Agile ransomware development helps evade data security measures

We’re witnessing an arms race. While data security vendors are fast at work, developing solutions that will combat the ransomware threat—ransomware developers, faced with locked doors, are climbing through open windows.

For example, data security solutions monitor for unusual traffic and suspicious behavior—behavior like encrypting 300 files in the span of two minutes.

As a result, ransomware developers have begun slowing and/or randomizing the encryption process, so their ransomware more closely resembles human behavior. And, that enables them to escape detection and gain entrance into the victim’s environment.

What’s more, developers are programming their ransomware to remain dormant for a time and quietly infect backups before raising the alarm. They realize victims are more likely to pay when they don’t have good backups in place.

Unfortunately, common mistakes are leaving the door wide-open to attack, such as:

  • Locating backup servers on network drives
  • Executing inadequate, infrequent backups
  • Failing to protect backup servers with anti-virus/anti-malware solutions
  • Failing to establish backup redundancy, including backing up the backup server
  • Failing to test the recovery of backed-up data
  • Granting backup server login credentials to those who don’t require access
  • Unnecessarily browsing the internet from the backup server

Savvy RaaS marketing and low-barrier-of-entry fuels cybercrime

Ransomware-as-a-Service, or RaaS, isn’t new; the business model emerged all the way back in 2015.

What is new, however, is the degree of slick marketing behind these ransomware kits and their arrival on the open web.

Just consider Philadelphia, which hit the scene last year. While the ransomware kit must still be purchased on the dark web, its creators—The Rainmaker Labs—uploaded a product walkthrough video to YouTube.

The video demonstrates the ransomware’s simple wizard-driven set-up and promises:

  • Advanced features, like worm and sleep time
  • Filters and groups that let you “organize your victims and pdf reports”
  • Lifetime licenses for $400, including free updates and no monthly fees

Now, new arrival, Saturn, has evolved the business model still further, allowing criminals to leverage the ransomware kit without an up-front investment. Instead, ransomware developers take a 30% cut of their users’ profits.

With professional-looking SaaS websites, responsive customer support, and lower barriers to entry, we expect to see an increase in the sheer volume of ransomware infections driven by RaaS marketing.

And, that should concern us all.

Targeted SamSam ransomware attacks on the increase

While ransomware is primarily spread through phishing campaigns, we're also seeing a significant uptick in the numbers of targeted attacks that exploit exposed Remote Desktop Protocol, or RDP. In fact, we’re seeing this type of targeted attack play out over and over again with SamSam.

While these attacks require a greater investment of time, effort, and tech-savvy, the payoff is bigger, too. This is where the big money starts rolling in—by going after high-value targets.

Which industries will come under heavy fire this year?

For starters, healthcare. These highly-complex systems possess a lot of critical data and, if encrypted, could threaten lives.

Likewise, we expect to see state and local governments, government agencies, and education systems come under attack, as well.


Often times, these sectors operate within tight budget cycles and with limited staffing resources. Meaning, they’re not as well-equipped to identify and resolve vulnerabilities. What’s more, their reliance on public funding—and slow-to-move funding cycles—limits their ability to be agile.

Finally, HR departments in the business and professional service sector will continue to see highly-targeted attacks roll in, as cybercriminals come to recognize the damage they can do with this personal, and sometimes sensitive, data.

Cybercriminals harness human psychology to ratchet up success

Ransomware developers are becoming really innovative—leveraging known behavior science principles to infect more systems and drive ransom payments.

Just look back at "Popcorn Time." Victims were faced with a moral choice:

  1. Pay the ransom
  2. Lose your data
  3. Infect two other people in exchange for your decryption key

Now, that’s diabolical.

Ransomware prevention and recovery trends that offer real promise

There was a time when you’d get a virus on your network, and it was an inconvenience. No longer. With the advent of crippling ransomware strains, organizations are being brought to their knees.

The good news?

Organizations are taking the ransomware threat far more seriously and working to implement effective three-pronged approaches, which include:

  • End user ransomware training
  • Data security
  • Backup and recovery

What trends are we seeing among these solutions that will help you better protect your critical data?

Increased efficacy of ransomware training

We now know what makes ransomware training successful.

Large group information sessions aren’t it. Isolated phishing testing isn’t it, either.

The answer is in creating a comprehensive training system that not only teaches your end users what to look for, but then gives them real-world opportunities to practice what they’ve learned. It’s a combination of data security sessions that talk about safe password handling and digital hygiene, and phishing testing. And, together, they significantly increases the likelihood that your end users will spot phishing attacks.

Data security advances offer a more formidable fortress

The old days of signature-based endpoint protection are largely gone—ransomware is simply too sophisticated for that now. And, human analysis of ransomware threats just can’t keep up with the pace of malware releases.

That's where AI and behavioral analysis are coming into play.

Leveraging big data and machine learning-powered models, these technologies scan for characteristics and behaviors that might indicate ransomware—detecting ransomware and preventing it from executing, or at least mitigating its impact.

Near-zero RPOs and RTOs are on the horizon

The backup and recovery paradigm is now shifting from disaster recovery to disaster avoidance. Meaning, organizations will begin to see RPOs and RTOs of minutes, making downtime feel like nothing more than a glitch.

And, that will enable IT professionals to mitigate the otherwise devastating impacts of ransomware-driven data loss and downtime.

Be aware of ransomware trends—and act to protect your organization

The threat is out there and it’s escalating fast.

That’s why we recommend you implement robust end user training, data security, and backup and ransomware recovery.

Where do you start?

These are the basic best practices we believe every organization should adopt:

  • Train your users to spot phishing emails and websites
  • Ensure you have redundant backups in place—ideally with copies online, offline, and offsite
  • Backup your backup server
  • Shutdown Remote Desktop Protocol on the internet
  • Use a VPN before you log into remote machines
  • Don’t browse the internet from your backup server unless necessary for software and firmware updates and patches
  • Protect your backup servers with anti-virus/anti-malware products
  • Test your data recovery—and know how long it takes to not only restore your data, but how much data would be lost in the event of downtime
  • Segment your network
  • Practice the principle of least privilege
  • Decline email messages from languages you don’t engage in, which ransomware attackers might leverage for hard-to-detect spoofed URLs
  • Establish a ransomware crisis plan

With these best practices in place, you’ll be equipped to prevent and recover from the ransomware infections that might otherwise cripple your business.

A war is raging. It pays to be prepared.