Ransomware: CryptoLocker Was Just the Beginning

Stories about hospitals and other institutions shut down by ransomware have been making headlines in recent months. According to CNN, the FBI estimated that cybercriminals would collect over $1 billion in ransoms during 2016. In fact, the losses suffered by organizations were likely higher, due to the disruption of productivity and business continuity, as well as the general reluctance of organizations to report ransomware incidents.

Webroot expects ransomware to become an even larger problem in 2017. The Webroot Threat Research team closely monitors ransomware, and has identified the most important ransomware trends of 2016—and predicted several likely 2017 trends.

The first trend is the rise of Locky, the most successful ransomware of 2016. In its debut week in February, it infected over 400,000 victims, and the experts at SmartData Collective estimated it has earned more than $1 million a day since then. Locky was one of the first ransomware variants to encrypt unmapped network drives, which has been particularly devastating to small businesses. Initially, Locky propagated through email attachments containing macros that downloaded and executed the ransomware. Locky shows no signs of slowing down, and will likely be just as prolific in 2017.

Another important trend to note is frequent changes in the exploit kits used by ransomware. For example, in the first half of 2016 most exploit kit ransomware was distributed using Angler or Neutrino. But in May, Webroot saw a huge drop in Angler-based ransomware—and by early June it had virtually disappeared. Cybercriminals who were using Angler began switching to Neutrino, enabling the Neutrino authors to double their kit’s price due to lack of competition.

A few months later this volatility in the exploit kit landscape was reinforced when Neutrino followed in Angler’s footsteps and disappeared. At the end of 2016, the most commonly used exploit kits were variants of Sundown and RIG, the majority of which support Locky.

The final trend to know about is ransomware-as-a-service (RaaS). Although RaaS emerged in 2015, it wasn’t until 2016 that it took hold in the ransomware landscape. RaaS enables just about anyone to create their own ransomware and generate customized attacks. Ransomware-as-a-service offerings are similar to legitimate software, with frequent updates and utilities to help ransomware distributors get the most from their service. The availability and ease of RaaS is likely to mean even greater growth in ransomware incidents.

For more information about ransomware and why MSPs hit with ransomware switch to Webroot SecureAnywhere Business Endpoint Protection, download your free copy of the Webroot 2017 Threat Report here.

Guest blogs such as this one are published monthly and are part of MSPmentor’s annual platinum sponsorship.