Malware statistics and facts

“Malware” describes any malicious program created to wreak havoc or mischief on a computer system. It’s also an ever-evolving ecosystem thanks to the constant push-and-pull between security professionals and cybercriminals. Shifts in the malware environment change every year, although long-term trends are identifiable in year-over-year data reports.

Despite numerous anti-malware measures, cybercriminals and hackers aren’t ones to give up easily, especially not as long as there’s money to be made in malware. Even still, some traditionally-popular forms of malware appear to be losing favor in 2018 and 2019, while other malware attack vectors gain favor. 

Signs currently point to hackers shifting their focus more toward discrete infections through IoT and email, with a continued focus on enterprise businesses and governments versus average web users, especially when it comes to ransomware infections.

Here’s a rundown of the most interesting malware statistics:

1. Some types of malware are on the decline

A collection of recent data and research points to a change in how consumers and businesses experience and receive malware. Enterprise security professionals reported a 7 percent decline in malware attacks in 2018 (31 percent of all attacks identified) in ISACA’s 2019 State of Cybersecurity survey. Meanwhile, Google’s data shows a rapidly declining number of malware-infected websites plaguing the web.

2. Traditional malware attack vectors taking a huge hit

In fact, the number of websites serving up malware is at its lowest point since 2007, according to Google’s Transparency Report. Instead, consumers are increasingly dealing with phishing websites that seek to glean passwords, credit card numbers, Social Security Numbers and other private information directly from visitors without requiring any direct malware downloads.

3. Phishing sites are now a popular attack method

Phishing sites are typically designed to look like the official version of other websites. PayPal is a commonly-mimicked site, for example, as gaining access to users’ PayPal credentials can be distinctly profitable for hackers. Banking and social media sites are also fairly common targets.

Read more: 70+ common online scams used by cybercriminals.

4. Google removing far fewer malware-infected sites

According to Google’s Transparency Report, 1.4 million websites made its list of “Sites Deemed Dangerous by Safe Browsing” category, as of February 24, 2019. The vast majority of those (over 1.3 million) were phishing sites. Only 51,000 of Google’s removed sites were delisted because of malware. That’s more than a 2,500 percent difference in favor of phishing sites, which have seen a year-over-year increase of over 85 percent. 

5. Google’s data shows a massive decrease in malware sites removed since 2017

Google’s transparency report data also marks a 91 percent decrease in the number of malware sites since a 2017 historical high.

malware facts and stats 2019
Source: Google

6. New malware variants decreasing year-over-year

SonicWall’s 2019 Mid-Year Threat Report confirms the shift. Although the security company noted 4.8 billion malware attacks occurred by the halfway point of 2019, that marked a 20 percent year-over-year decrease. By contrast, global malware volume hit 5.99 billion registered hits halfway through 2018. 

7. Symantec’s data confirms malware variant declines

Symantec also recorded a strong decline in malware. The security company found a 63 percent year-over-year decrease in new malware variants between 2017 and 2018. For its part, WatchGuard reported that zero-day malware accounted for 36 percent of all malware blocked in Q1 2019, almost no change year-over-year from 2017.

8. Despite a decrease in some malware threats, 2018 broke records

While Google, Symantec, ISACA, and SonicWall each identified decreasing malware threats in key areas, malware is still a major problem across the web in other forms. SonicWall registered a record-breaking 10.52 billion malware attacks in 2018, which accounts for all types of malware, including ransomware and cryptojacking tools, not just infected websites. 

9. Hackers increasing their use of infected emails targeted to businesses

Symantec found that hackers massively increased their use of infected Microsoft Office files. In 2018, 48 percent of malicious email attachments were infected Office files, up from just 5 percent in 2017. At a rate of 1 in every 323 emails per, small organizations with fewer than 250 employees were the most likely to receive malicious emails compared to larger organizations. Interestingly, organizations with between 1,001 to 1,500 workers are half as likely to receive malicious emails than organizations of any other size (larger or smaller).

10. “Formjacking” is a growing problem for websites

Symantec also noticed a stark rise in what’s known as “formjacking”, which BrightTALK calls the “breakthrough threat of 2019”. Formjacking occurs when hackers insert malicious Javascript into a website’s code that allows it to “skim” financial information from payment forms. Security researchers currently compare it to ATM skimmers, which attach to the card reader on ATM machines to skim the information from a credit card’s magnetic strip.

Malware facts and stats 2019
Source: Symantec

Symantec identified an average of 4,800 websites compromised with formjacking code each month in 2018. The security company also blocked 3.7 million formjacking attacks that year, highlighting the growing threat. There’s little data related to formjacking to draw upon prior to 2018, which helps indicate the rapid growth of this malware attack vector.

Overall, it appears cybercriminals have massively switched their tactics from trying to get web users to download malware directly from infected web pages and instead now prefer alternative malware delivery methods. Even formjacking, which is in effect a type of malware, doesn’t require the user to download a file. Hackers appear to now prefer more discrete methods.

11. “Cryptojacking” is a new favorite among cybercriminals

Malware designed to steal personal information often carries a low rate of return for cybercriminals. Consequently, cryptocurrencies have opened up a new venture, as many cybercriminals now discretely mine Bitcoin and other blockchain currencies through malware-infected devices. 

Illegal cryptojacking malware is a major problem for both consumers and businesses using IoT devices running Linux. Many such devices are easily discoverable and simple to hijack over the web due to limited security measures.

Symantec blocked 4 times as many cryptojacking attempts in 2018 than in 2017, showing the shifted focus on surreptitious installation and usage of victim’s computers to mine crypto. However, as cryptocurrency values dropped 90 percent between 2017 and 2018, the amount of cryptojacking events also dropped by over 50 percent. That data was confirmed by SonicWall, which also recorded a notable dip in cryptojacking hits in 2018 as Bitcoin and other cryptocurrency values fell. 

12. As cryptocurrencies rebounded, so did cryptojacking

The recovery of cryptocurrency values in the first half of 2019 was marred by a substantial rise in cryptojacking hits, which primarily come through malware.

malware stats and facts 2019
Source: SonicWall

The chaotic ups and downs in cryptojacking activity highlight just how much cybercriminals respond to market demands. Malware has always been about achieving the best possible outcome (stolen information and money) with the least amount of effort. An increase in the use of website malware blocking technologies is why phishing sites are far more popular, but cryptojacking also makes for an easy money-making venture for cybercriminals who, for all intents and purposes, follow the same principle as Wall Street brokers: “buy low, sell high”.

13. A popular third-party Kodi addon spread cryptomining code

Most cryptojacking is widespread but small-scale, but there are some instances where major hits make the news. For example, in September 2018, security company ESET found a popular, unofficial third-party Kodi addon had been hijacked to create a cryptomining botnet out of its users. The addon developer was able to push the malware to unsuspecting users without their knowledge by abusing a key function built into Kodi (users can push plugin updates through the software, so long as users have it allowed in their settings).

Kodi is a free and legal open-source media player. Among the most popular Kodi plugins are those used to access unofficial and often copyright-infringing content. Unofficial Kodi addons outside of the official Kodi Addon Repository always carry a significant hijacking risk, even if that risk doesn’t always materialize into a hack.

In response to the bitcoin botnet event, the Kodi community went into a bit of an uproar. TVADDONS, a well-known third-party Kodi addon development team, even launched an addon called No-Coin designed to scan other addons for cryptomining code. 

14. The City of Baltimore suffered a major ransomware attack we’re still talking about

In May, news reports rolled in covering the Baltimore City government’s painstaking (and embarrassing) efforts to recover from a major ransomware infection. It took Baltimore City’s government 36 days to loosen hackers’ grip on its data, and even longer to fully recover all of the systems that were locked down. The city spent over $18 million recovering from the attack.

Although—to our knowledge—Baltimore did not pay a dime of that money to the hackers who held the city’s files hostage, many ransomware victims do choose to pay instead of eating such high costs associated with recovery.

As with most malware, ransomware isn’t a guaranteed income source for cybercriminals, but it’s far more successful than most traditional malware attempts. As a result, some ransomware avenues are still on the rise in 2019, even as security companies develop more effective mitigation methods and tools. 

15. Enterprises are the main target for ransomware

Symantec noted a 12 percent increase in enterprise ransomware in 2018, for example, although it also recorded a 20 percent decline in ransomware overall that year. The company also identified a 33 percent rise in mobile ransomware, which highlights a new trend of criminals targeting mobile users with file-encrypting malware.

16. The “Cerber” ransomware family is leading the rise in ransomware attacks

Other reports show as little as a 15 percent increase in ransomware attacks in the first half of 2019, and up to a 105 percent year-over-year increase with the Cerber family of ransomware identified as the largest group. SonicWall also noted nearly 40 million Cerber hits in the first half of 2019. Comparatively, the volume of Cerber-family ransomware hits soared to over 101 million in 2018. The next closest ransomware family in 2018, BadRabbit, had fewer than 8 million hits the whole year. 

malware stats and facts

17. Ransomware payment demands are increasing in size

One of the biggest reasons hackers appear to prefer ransomware versus more traditional viruses and malware is because of the payoff. Ransomware payments are now totaling around $1 billion per year, making them far more lucrative than traditional malware operations. Ransomware is so financially-viable, in fact, that hackers have upped the amounts they’re asking for in ransom payments. According to Beazley, the criminals’ asking price for ransomware removal increased 93 percent in Q1 2019. 

18. Cerber takes the lead in hackers’ favorite ransomware tool

Notably, Cerber is part of what’s known as “Ransomware as a Service” or RaaS. Cybercriminals can hire others to launch attacks using the Cerber malware, and receive around 40 percent of the paid ransom. In 2017, SophosLabs investigated 5 RaaS kits and found that some can be extremely inexpensive (less than $40), while others can exceed several hundred dollars to purchase and employ. However, they’re highly customizable, and hackers appear to operate their ransomware services with a surprising degree of professionalism.

Malware projections for 2019 and 2020

Based on what we’ve seen so far in 2019, we can expect to see a few key takeaways for the remainder of the year and into 2020:

  • Malware-infected sites will likely continue to fall out of favor and decrease in volume
  • Cybercriminals will continue to target smaller enterprises with malware versus larger organizations
  • The demanded ransomware payment amount will continue to increase
  • Formjacking may continue to increase, although security professionals may start paying more attention and stem its growth into 2020
  • The cryptojacking threat to IoT devices will grow, in no small part thanks to the growing number of unsecured IoT devices that consumers purchase in ever-increasing numbers

There’s no telling what new threats may emerge, and how the malware landscape may shift. As major security companies have reported in the past, a fair amount of activity tends to increase in Q4 in most years, which is often associated with the holiday shopping season. As ever, hackers tend to be reactive instead of proactive, going low hanging fruit whenever possible, or easily-exploited vulnerabilities in systems where they can be found. Their tactics tend to change only when their efforts become unprofitable. 

It’s also hard to ignore the ever-present danger posed by state-sponsored malware attacks, which are rarely profit-driven and tend to be politically-motivated. Such attacks will likely increase into 2019 and 2020, with all eyes on China, Russia, and North Korea, and a keen focus toward the US as the 2020 election season rolls in.

See also:
300+ Terrifying Cybercrime Statistics
Encyclopedia of common computer viruses and other malware