The threat of ransomware is rapidly increasing.
According to Verizon's 2017 Data Breach Investigations Report, ransomware was the fifth most common form of malware in 2016, rising from a position of 22nd in 2014. In fact, since 2016, over 200 new ransomware families have emerged. Further, a recent BitSight Insights report found that instances of ransomware more than tripled—and in some cases increased tenfold—for many industries between July 2015 and July 2016.
These daunting statistics indicate just how important it is to pay attention to ransomware. Below, we’ve outlined what’s led to its proliferation, as well as eight ransomware attack examples you should be paying attention to and four things you can do to combat ransomware attacks.
As ransomware continues to become more prevalent, here’s a question worth considering: “What makes ransomware such a common form of malware?”
The answer comes down to money and time.
Ransomware attacks are significantly faster and cheaper to carry out—than any many other cyber models, and have a much higher payout.
Take a banking trojan operation for example. Prior to ransomware, banking trojans were the most common form of malware. The banking trojan business model is extremely complex and requires many people to play many roles—quite like an organization with a CEO, CTO, CFO, etc. The top technical individuals, referred to as Controlling Coders, set up an infrastructure that allows infected bots to communicate with them, receive orders, perform actions, and exfiltrate information. The drop organizers mine the exfiltrated information and steal bank account details to send the funds to bank accounts managed by individuals they’ve hired (known as “Mule Herders”). The Mule Herders then withdraw those funds and send them back to multiple accounts run by Drop Organizers. This scheme of money laundering takes a lot of profit away from the Controlling Coders because they have to split the earnings with everyone else involved in the cashout of stolen funds.
The ransomware business model has a number of benefits over banking trojans and other forms of malware:
Ransomware encrypts data on a server, workstation, or mobile device, and demands a ransom via a cryptocurrency like Bitcoin. But not all ransomware is financially motivated—some is primarily intended to cause an operational disruption on a network. Below, are eight real-life ransomware examples that are regularly used—and extremely dangerous.
1. Locky first appeared in February 2016 and is now one of the most distributed forms of ransomware. In late 2016 it became so proliferate that it was named one of the three most common forms of malware. There are distribution campaigns of Locky via email almost every day.
2. Troldesh is mostly distributed in Russia and European countries. It is not prevalent in the U.S.
3-5. GlobeImposter, Philadelphia, and Cerber are all ransomware threats using the “Ransomware as a Service” (RaaS) model. While some cyber criminals make and distribute their own ransomware, some have begun to provide a software package—complete with ransom note customization—to other cyber criminals for a fee.
Interestingly, some of the biggest ransomware names of 2017 are believed to be motivated by operational disruption or systemic harm, not financial gain. Two recent attacks used a single Bitcoin wallet to collect ransom, placing greater emphasis on the disruption itself rather than payment collection; this tactic also makes it impossible for the distributor to know which victims actually paid the ransom requested.
6. WannaCry is a wormable ransomware that spreads like a virus. Interestingly, it only collected a bit over $100,000 dollars total, quite a small sum considering its global spread. To that point, between May 12 and May 15, 2016, WannaCry was observed on over 160,000 unique IP addresses. (Read more about the global impact of WannaCry in this article.)
7. NotPetya used a compromised accounting software provider as its initial point of distribution, and impacted many Ukrainian companies. But NotPetya didn’t stop in Ukraine. Multinational companies with arms in Ukraine were compromised as well. While NotPetya was also not believed to be financially motivated, it did impact the bottom line of some large companies. According to this Insurance Journal article, “Package delivery company FedEx Corp. said on Tuesday a June [NotPetya] attack on its Dutch unit slashed $300 million from its quarterly profit, and the company lowered its full-year earnings forecast. The company said the cyber attack slashed 79 cents per share from its profit.”
8. Bad Rabbit is a variant of NotPetya that was also primarily distributed in Ukraine and Russia to a number of major corporations. NotPetya and Bad Rabbit share the same code, indicating that the same group is responsible for both ransomware examples. But unlike NotPetya, Bad Rabbit uses unique Bitcoin wallets for every victim. For this reason, the motivation behind these attacks is unclear.
Law enforcement has had a difficult time fighting ransomware because of the sheer volume of ransomware operations, and the fact that the operations themselves are difficult to track. Banking trojans, for example, leave a larger footprint due to the number of steps that must be taken. Additionally, because so many more people are involved in a banking trojan operation, law enforcement can often scoop up and flip the smaller players to go after the larger players; this isn’t the case with ransomware.
There are tools designed specifically to combat ransomware. The No More Ransom Project—founded in 2016 by the Dutch Police, Europol EC3, Kaspersky, and McAfee, and in partnership with over 100 other organizations worldwide—has helped decrypt 28,000 devices and covers over 100 ransomware families. It is also helping to educate individuals and organizations about ransomware.
If your organization is infected with a ransomware attack, the immediate question is usually “Should we pay?” We—along with the No More Ransom Project and various governmental agencies—do not recommend paying the ransom. This simply confirms the ransomware business model and encourages the cycle to continue.
There are several things you can do if your network is infected:
For additional data on the rise of ransomware, download this BitSight Insights report. It highlights how ransomware infections have grown, the industries that have exhibited the most ransomware infections, and how businesses can help mitigate the threat of ransomware.
Request your Security Rating Snapshot report to see how your security posture compares to industry averages. Ge insight into the risk vectors of your security posture including compromised systems, user behavior, and diligence vectors such as patching cadence, configurations, and more.
