The number of new ransomware modifications more than doubled during the second quarter compared to the same quarter of last year, along with a high number of infection attempts.

That’s according to Kaspersky‘s IT Threat Evolution Q2 2019 report. The company’s researchers detected more than 16,000 new ransomware modifications during the quarter, including ones belonging to eight new malware families.

Kaspersky’s Fedor Sinitsyn

Fedor Sinitsyn, security researcher at Kaspersky, tells us the malware modifications mentioned in the report are essentially different samples of malware encountered in the wild.

“Every day our systems discover and detect numerous new malicious executable files,” he said. “The criminals behind those files constantly modify the code of their trojans in the hopes of evading detection by security solutions. Such efforts lead to the generation of a multitude of new previously unknown samples of malware and we refer to them as modifications in different malware families.”

These trojans encrypt files on a user’s computer and demand a ransom for the files to be released. The increase in malicious modifications and the appearance of new families is a dangerous sign that criminal activity is intensifying, with new malware versions emerging, according to Kaspersky.

With the number of ransomware modifications growing, it’s crucial for MSSPs and other cybersecurity providers to provide adequate proactive detection for their customers, Sinitsyn said.

“A simple hash-based blacklist would not suffice in today’s reality,” he said. “A security solution needs to be able to recognize malicious behavior patterns in runtime and to detect previously unknown variants of ransomware in order to offer protection from this type of threat.”

According to Kaspersky data, nearly 232,300 unique users were targeted by infection attempts, 46% more than a year ago. The ransomware family that attacked users most often was still WannaCry. Even though Microsoft released a patch for its operating system to close the vulnerability exploited by the ransomware two years ago, it still remains in the wild.

Another major actor was Gandcrab with 13.8% share, despite its creators announcing that GandCrab wasn’t going to be distributed from the second half of the quarter.

One of the popular ransomware propagation methods is via insufficiently secure remote desktop protocol (RDP) access, Sinitsyn said.

“If an organization’s network is configured to allow outside connections from the internet via RDP and if the passwords for Windows accounts used by the employees are not secure enough, cybercriminals might be able to obtain the credentials using a dictionary-based or a brute-force attack, and intrude the corporate network,” he said. “In many cases such a breach results in a ransomware infection. This means that securing the remote access systems used by the employees is of critical importance in today’s circumstances.”

More traditional infection techniques such as malicious spam attachments, incorporating malware into advertisements and exploit kits still are widely used by the criminals to spread ransomware, so installing software updates, using an up-to-date security solution and educating employees about security risks remains a priority, Sinitsyn said. And, as always with ransomware, a reliable backup schedule for the important data is crucial, he said.

Other findings include:

Earlier this month, Vectra disclosed that cybercriminals’ most effective weapon in a ransomware attack is the network itself, which enables the malicious encryption of shared files on network servers, especially files stored in IaaS cloud providers.