- Sep 22, 2014
- 1,767
The data was gathered by Fortinet using its Intrusion Prevention System (IPS) system. The company logged traffic from infected machines to IPs known to belong to ransomware C&C servers.
The information Fortinet collected does not indicate the number of infected victims, but shows in quantitative form, the amount of traffic exchanged between infected machines and their server.
As Fortinet has discovered, between February 17, when the Locky ransomware was first spotted, and up to March 2, exactly two weeks later, the most active ransomware campaign belonged to the CryptoWall family which amounted to 83.45% of all connections.
There is no surprise in finding CryptoWall at the number one spot. CryptoWall is an old and battle-tested ransomware family, also sold to affiliate groups. Many crooks trust it because of its efficiency and constant updates that allow it to avoid being cracked by security researchers.
Locky usage skyrockets as it takes over Dridex botnet
The surprise was recorded at the number two spot, where despite being only two-weeks-old, Locky made an appearance getting 16.47% of the total 18.6 million logged connections.
The reason behind this meteoric rise is the fact that Locky replaced the Dridex banking trojan, and is now being distributed via a well-oiled spam operation that's been active for two years and run by professional malware operators.
Last in Fortinet's top 3 is TeslaCrypt, which surprisingly accounted only for 0.08% of all the connections, despite having a strong start of the year, benefiting from a massive campaign that saw its operators hijack countless of WordPress and Joomla sites to distribute their ransomware.
Fortinet says that most victims of these three ransomware families are found in the US, but that Japan, Canada, and Mexico are affected in large numbers as well.
Distribution of Cryptowall, TeslaCrypt and Locky IPS hits
The information Fortinet collected does not indicate the number of infected victims, but shows in quantitative form, the amount of traffic exchanged between infected machines and their server.
As Fortinet has discovered, between February 17, when the Locky ransomware was first spotted, and up to March 2, exactly two weeks later, the most active ransomware campaign belonged to the CryptoWall family which amounted to 83.45% of all connections.
There is no surprise in finding CryptoWall at the number one spot. CryptoWall is an old and battle-tested ransomware family, also sold to affiliate groups. Many crooks trust it because of its efficiency and constant updates that allow it to avoid being cracked by security researchers.
Locky usage skyrockets as it takes over Dridex botnet
The surprise was recorded at the number two spot, where despite being only two-weeks-old, Locky made an appearance getting 16.47% of the total 18.6 million logged connections.
The reason behind this meteoric rise is the fact that Locky replaced the Dridex banking trojan, and is now being distributed via a well-oiled spam operation that's been active for two years and run by professional malware operators.
Last in Fortinet's top 3 is TeslaCrypt, which surprisingly accounted only for 0.08% of all the connections, despite having a strong start of the year, benefiting from a massive campaign that saw its operators hijack countless of WordPress and Joomla sites to distribute their ransomware.
Fortinet says that most victims of these three ransomware families are found in the US, but that Japan, Canada, and Mexico are affected in large numbers as well.
Distribution of Cryptowall, TeslaCrypt and Locky IPS hits