The NTT Security 2018 Global Threat Intelligence Report (GTIR) summarizes data from over 6.1 trillion logs and 150 million attacks, with global security researchers analyzing global threat trends based on log, event, attack, incident and vulnerability data from NTT Group operating companies. Of the intriguing trends identified, ransomware activity spiked significantly as distribution of this class of malware became a heavy focus by threat actors in 2017.

What is ransomware?


Ransomware is a type of malware that prevents or limits users from accessing data, computing or network resources, either by locking their system’s screen or by locking files and folders, then demanding a ransom. Recent ransomware strains use encryption when locking files, forcing users to pay the ransom via online payment methods to obtain a decryption key.

2018 GTIR findings

In the 2017 GTIR, ransomware detections accounted for less than 1% of all malware detections, being that it was fairly uncommon in 2016. This percentage changed to nearly 7% of all malware in 2017 thanks to a 350% increase in detections. Although ransomware detections increased significantly, incident response related engagements fell from over 22% of incidents in 2016 to just 5% in 2017 resulting from better threat awareness and preparation by NTT Security clients.

The gaming (gambling and associated entertainment) sector was the most targeted by ransomware during 2017. This follows a common target pattern by actors in which several of the sectors most targeted are characterized by high uptime requirements, where an impact in system availability could directly lead to loss of revenue. NTT Security detected ransomware attacks in every industry sector; however, the top five sectors targeted – finance, technology, business and professional services, manufacturing and retail – accounted for 72% of all ransomware detections.

In EMEA, ransomware accounted for 29% of malware detections, making it the only region in which ransomware was the top type of malware. As the breakout of the infamous WannaCry ransomware made media headlines, health services in the UK were impacted, resulting the impacted health care facilities finding it necessary to cancel appointments and divert incoming patients to alternate medical facilities. WannaCry and Petya, both originating in EMEA, also affected the gaming sector, which experienced 36% of ransomware attacks. In comparison, the Americas accounted for 26% of ransomware detections, where business and professional services were the most targeted.

Overall, threat actors continued to search for and identify exploitable vulnerabilities and social engineering tactics in 2017. They expanded into supply chain infections and the widespread use of destructive malware masquerading as ransomware. Driving this change were leeks of several classified government hacking tools, making the distribution of ransomware easier, more automated, and further widespread. As threat actors who leverage ransomware shift their focus toward businesses and away from individuals, performing data backups and developing plans for incident response and disaster recovery have become even more critical. The 2018 GTIR contains additional ransomware trends as well as mitigation and remediation guidance. 

For more details about ransomware and other security trends, please read the 2018 GTIR report.