Ransomware attacks quadrupled in Q1 2016

Ransomware has taken off in 2016, with attacks in the first quarter coming at quadruple the rate seen last year, according to figures from a leading security vendor.

Kevin Haley, the director of product management at Symantec Security Response, said his group has seen an average of over 4,000 ransomware attacks per day since Jan. 1, a 300-percent increase over the approximately 1,000 attacks per day in 2015 the company highlighted in its recent Internet Security Threat Report.

During a media roundtable Thursday, Haley said the spike is due to the success attackers are having in targeting a broad variety of business sectors and the ease with which attacks can be carried out.

“It’s really profitable, there is very little risk, and you don’t have to resell the data anywhere,” Haley said. “It’s pure profit.”


Haley said his company saw a spike once Hollywood Presbyterian Medical Center announced it paid $17,000 to hackers in February after it was hit with a ransomware attack.  

Earlier this month, Columbia, Maryland-based MedStar Health was hit with a similar attack, where hackers asked for $19,000 to decrypt the company’s data.


Haley said the gangs using ransomware have honed their social engineering efforts to target the right people for spear phishing emails. The malware is packaged in a phony email attachment, often a phony invoice.

“If I send you something that says ‘Here is a bill and you owe money on this,’ you are going to click through,” Haley said.


Attackers are also growing more sophisticated with how they deploy the malware once they gain access to a system. The responsible parties often wait a week to encrypt data so when an IT department uses a restore point, their malware remains in the system.

Haley recommended that to avoid this, security specialists should be deploying backups of operating systems instead of reverting to restore points.

Over the past year and a half, Haley said his company has seen thousands of unique malware variants used in various ransomware campaigns, which target different operating systems, web servers and internet-connected devices.

For the company’s threat report, Haley’s team found a way to install an Android-based ransomware known as Simplocker onto a smartwatch and internet-connected TV. While Symantec has yet to see that type of attack used by real-life criminals, Haley said there is “no reason it couldn’t be done.”

Android is more likely to be targeted than Apple iOS due to the closed nature of Apple’ App Store and the faster distribution of updates that close vulnerabilities. The nature of the Android eco-system, where phone owners are dependent on carriers and handset manufacturers to distribute system updates, means “there is a much greater chance you are going to see an old version of Android out in the wild than Apple iOS,” Haley said.


Contact the reporter on this story via email at, or follow him on Twitter at @gregotto. His OTR and PGP info can be found hereSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts