Part 1. PC ransomware: From blockers to crypto-ransomware
One doesn’t need to look at the statistics to see that ransomware is once again a major problem for Internet users. You only need to read or watch the news. Nevertheless, the statistics help to show how big the problem is and whether there are aspects to the problem that you won’t learn from yet another news story about yet another ransomware infection.
The total number of users who encountered ransomware over the12 month period from April 2015 to March 2016 grew by
17.7% in comparison to the previous year: April 2014 to March 2015 – from
1,967,784to 2,315,931 users around the world
The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware rose 0.7 percentage points, from
3.63% in 2014-2015 to
4.34% in 2015-2016.
The following graphs illustrate the change in the number of users encountering ransomware at least once in the 24 month period covered by the report. The prevalence of ransomware has been sporadic, rising and falling every few months. The rise in the use of crypto-malware has been more consistent: showing a steady increase in the number of attacked users, particularly from March 2015, before peaking in December 2015. Interestingly enough, from October 2015, all other types of ransomware were declining dramatically in number and by the turn of the year just a very small number of users encountered old school blockers and other non-encrypting ransomware.
The decline did not last long. In February 2016, both categories started to recover from the dramatic fall in January, and numbers continue to rise.
The behavior of ransomware does not reflect overall attack trends. To discover the possible reasons behind the peaks and troughs we need to look deeper into the ransomware attack statistics.
The first main spike in the period under investigation was registered in July 2014 with more than 274 thousand users encountering some form of ransomware. The main reason for this surge was the Trojan-Ransom.JS.SMSer.pn, a browser-locker that attacked more than one-in-three (31%) those affected by ransomware that month. Encryptors were encountered by one-in-ten (11.63%) of all those who faced malware from the Trojan-Ransom category.
The next peak was registered in April 2015, when 282.5 thousand users were attacked with ransomware. This was provoked by several groups of malware, and about 10% of those affected encountered encryption ransomware.
October 2015 saw ransomware achieve an all-time-high with more than 428.4 thousand users attacked. Of those affected, 9.38% were hit with encryption ransomware. In March 2016, when another surge of ransomware attacks took place, the situation was very different: over half (51.9%) of those who encountered Trojan-Ransom malware were dealing with encryptors. This was mostly due to the activity of a small number of ransomware groups led, among others, by the infamous TeslaCrypt encryption ransomware.
The results for April and May 2016 – although beyond the scope of this report – confirm this trend: encryption ransomware affected 54% of attacked users in April 2016 and 35.7% in May, still well above the average for the previous 12 months.
Main actors of encryption ransomware
Looking at the malware groups that were active in the period covered by this report, it appears that a rather short list of suspects is responsible for most of the trouble caused by crypto-ransomware. In the first period, from April 2014 to March 2015, the most actively propagated encryptors were the following groups of malware: CryptoWall, Cryakl, Scatter, Mor,
CTB-Locker,
TorrentLocker, Fury, Lortok, Aura, and
Shade. Between them they were able to attack 101,568 users around the world, accounting for 77.48% of all users attacked with crypto-ransomware during the period.
A year later the situation had changed considerably.
TeslaCrypt, together with CTB-Locker, Scatter and Cryakl were responsible for attacks against 79.21% of those who encountered any crypto-ransomware.
Interestingly, in 2015-2016 the “Others” category decreased to 2.41% of attacked users while a year earlier it had accounted for 22.55%. This drop could be a sign of the development of criminal-to-criminal infrastructure. Instead of developing their own, unique crypto-ransomware, criminals started to purchase off-the-shelf, ready-to-use malware. You can read more about this process in the “How it is done” section of this report. But before that, let’s see what kind of users the malicious actors behind ransomware were after.
Type of users attacked with ransomware
Most ransomware attacks are directed at home users. That was the case with the 2010-blockers epidemic in post-soviet territories, and also for the first period covered by this report. 93.2% of the users who encountered ransomware were users of home products, while the remaining 6.8% were corporate users. In the second period, however, the share of corporate users attacked with ransomware more than doubled to 13.13%, a rise of over 6 percentage points. All “thanks to” encryption ransomware.
When looking at crypto-ransomware, the situation is different: throughout the 24 months covered by the report the share of corporate users attacked with encryptors remained steady at about 20% (rising only slightly to 22.07% in 2015-2016). But this apparent stability is not reflected in the actual numbers.
The number of corporate users attacked with crypto-ransomware increased nearly six-fold (5.86 times): from 27 thousand in 2014-2015 to 158.6 thousand in 2015-2016, with home users hit nearly as hard: up 5.37 times.
