The volume of ransomware encounters is on a downward trend. Are we seeing the beginning of the end of this vicious threat?
Unfortunately, a look at the attack vectors, the number of unique families released into the wild, and the improvements in malware code reveals otherwise.
Ransomware was arguably the biggest security story of 2016. It certainly was one of the most prevalent threats. Our monitoring of the ransomware ecosystem in 2016 shows:
- Every quarter, more than 500 million emails sent by spam campaigns carry ransomware downloaders that attempt to install ransomware on computers
- These ransomware downloaders found their way into 13.4 million computers
- On the other hand, 4.5 million computers were exposed to the Meadgive and Neutrino exploit kits, whose primary payload is ransomware
- All in all, the ransomware payload of these spam and exploit kit campaigns were observed in 3.9 million computers in 2016
The impact of ransomware attacks extended beyond consumers as businesses and the public sector fell victim to the threat. Mainstream news coverage of attacks, including stories of a California hospital paying ransom to restore important medical files and the interruption of the San Francisco transport system, injected ransomware deeper into mainstream consciousness. In September, a Europol report cited ransomware as the biggest cyber threat, overtaking data-stealing malware and online banking trojans.
Interestingly, data from Windows Defender Antivirus shows an interesting trend: after peaking in August, when 385,000 encounters were registered, ransomware encounters dropped almost 50% in September, and it has continued to decline.
Figure 1. Monthly encounters of ransomware payload files, excluding downloaders and other components; some industry figures combine the two
Does this trend signal that we are seeing the end of ransomware? A look at other areas of the ransomware ecosystem reveals otherwise.
(Note: This blog post is the second in the 2016 threat landscape review series, following a review of exploit kits. The series looks at how major areas in the threat landscape are evolving. In future blogs, we will look at how support scam malware and macro malware transformed in the past year.)
Ransomware blocked before arrival
To understand if ransomware is on the decline, we need to look at other areas of the infection chain, starting with attack vectors. Windows Defender Antivirus data and our research on ransomware downloaders—the primary ransomware attack vector in 2016—tell a different story.
Trojan downloaders distributed via email campaigns
Downloader trojans like Nemucod and Donoff install ransomware on target computers. Often taking the form of documents or shortcut files, these downloaders are distributed via email campaigns that use various social engineering tactics.
There wasn’t a decline in the volume of emails that carry these ransomware downloaders. In the last quarter of 2016, we saw 500 million such emails. The downloader trojans ended up in at least one million computers every month in the same period. Clearly, cybercriminals have not stopped trying to infect computers with ransomware. In fact, up until the very end of 2016, we witnessed Nemucod email campaigns delivering Locky and Donoff campaigns delivering Cerber.
Figure 2. While ransomware encounters showed a significant decline at the end of 2016, encounters of ransomware downloaders was higher on average in the second half compared to the first half
Clearly, the decline in ransomware encounters was not for lack of trying by cybercriminals. We’re still seeing huge volumes of email carrying ransomware downloader trojans. However, ransomware infections were blocked at this entry point. This is an interesting development, because in 2016 we saw ransomware operators shift from exploit kits to email as their preferred infection vector.
The Neutrino exploit kit was used to install Locky ransomware in computers. We saw Neutrino use increase in the middle of 2016, filling in the hole left by the Axpergle (aka, the Angler exploit kit) when it disappeared in June. Apparently, Neutrino started scaling down in September as its operators reportedly went private, opting to cater to select cybercriminal groups.
Another popular exploit kit, Meadgive (aka, the RIG exploit kit), primarily delivered Cerber ransomware. In 2016, we saw the use of Meadgive steadily increase, as it became a top exploit kit used to deliver malware. As late as December 2016, we detected a Meadgive campaign distributing the latest version of Cerber, primarily in Asia and in Europe.
Although the usage of exploit kits is falling, we continue to see ransomware using exploit kits to infect computers. This is because ransomware campaigns can use exploits to elevate privileges and run potentially harmful routines with fewer restrictions.
Attackers continue to innovate
Another indication that we have not seen the end of ransomware are the numerous innovations in malware code we observed in 2016. Cybercriminals are continually updating their wares. For instance, toward the end of 2016, we documented significant updates to the latest Cerber version.
These improvements in malware code are cascaded in attacks via ransomware-as-a-service, which provides a business model that makes the latest versions of ransomware available for cybercriminals in underground forums. This business model makes it easier for cybercriminals with the resources and motivation to launch attacks.
The following are some of the improvements in ransomware behavior we saw in 2016.
The discovery of Samas ransomware in early 2016 cemented ransomware as a major problem for commercial companies. With ransomware that specifically targeted servers, IT administrators not only needed to protect endpoints, they also had to ramp up their server protection.
Samas campaigns exploited server vulnerabilities. The campaigns searched for vulnerable networks using pen-testing tools and deployed various components to encrypt files on servers.
Zcryptor exhibited a capability to spread, demonstrating that some ransomware didn’t need to rely on campaigns to move from endpoint to endpoint. It identifies network drives, logical drives, and removable drives that it can use to spread. Only a few days into 2017, Spora was discovered sporting similar behavior.
Alternative payment and contact methods
Traditionally, ransomware demanded that victims pay in Bitcoin through underground websites in the Tor network. In what appeared to be a response to lower rates of ransom payment, cybercriminals began to explore new ways of encouraging victims to pay.
Spora went the “freemium” route – victims can decrypt a couple of files for free, or a set of files for a lower ransom, presumably to show that the decryptor works.
Evolving social engineering tactics
In 2016, most ransomware started displaying a countdown timer. This can pressure victims into immediately paying ransom fearing they risk permanently losing access to their files.
When Cerber came out in March, it created waves because in addition to the usual ransom note in text and HTML formats, a VBScript converted text into an audio message demanding ransom, prompting researchers to call Cerber the “ransomware that speaks”.
Another ransomware, CornCrypt, offered to decrypt files for free if the victim infected two other users, hoping to get the snowball effect rolling. Ultimately, the more victims there are, the higher the likelihood of finding victims who are willing to pay.
Young ransomware families are on top
The threat of ransomware will likely continue as seen in the number of ransomware new families being released in the wild. Of the more than 200 active ransomware families that we track, about 50% were first discovered in 2016.
Most of these new ransomware families use encryption ransomware. This type of ransomware has eclipsed the older lockscreen ransomware, which simply locks the computer screen without encrypting files.
In 2016, we saw multiple ransomware families that used new methods and techniques. However, the top five ransomware families accounted for 68% of all ransomware encounters in 2016.
Figure 3. Cerber and Locky, both discovered in 2016, were the top ransomware of the year
Interestingly, the top two ransomware families were discovered only in 2016.
Cerber was discovered in March 2016 and got its name from the extension name it used on encrypted files. From March to December, it was observed in more than 600,000 computers.
Cerber is being offered in underground forums as ransomware-as-a-service, allowing attackers to launch ransomware campaigns without actually writing malware code. Most of its behaviors are controlled by a configuration file.
The latest version of Cerber encrypts almost 500 file types. It is known to prioritize certain folders when searching for files to encrypt.
Cerber primarily arrives via email campaigns that spread the Donoff downloader, a malware that downloads Cerber.
Figure 4. Cerber encounters dropped dramatically starting September, but encounters of Donoff, which downloads Cerber, started to increase in December
Cerber is also known to use Meadgive or the RIG exploit kit to infect computers. Meadgive was the top exploit kit by end of 2016.
Locky registered the second most encounters in 2016, at more than 500,000. It was discovered in February and similarly got its name from the extension name it used on encrypted files. It has since used other extension names, including .zepto, .odin, .thor., .aeris, and .osiris.
Just like Cerber, multiple campaign operators subscribe to Locky as a ransomware-as-a-service. It contains code for its encryption routine, but it can also retrieve encryption keys and ransom notes from a remote server before encrypting files.
Locky campaigns initially used the Neutrino exploit kit to infect computers, but later campaigns used email messages carrying Nemucod, which downloaded and executed Locky.
Figure 5. Nemucod encounters in the second half of 2016 remained steady, even though Locky encounters dropped dramatically in the same period
Ransomware as a global threat
Ransomware proved to be a truly global threat in 2016, having been observed in more than 200 territories. In the US alone, ransomware was encountered in more than 460,000 computers or 15% of global encounters. Italy and Russia follow with 252,000 and 192,000 ransomware encounters, respectively. Korea, Spain, Germany, Australia, and France all registered more than 100,000 encounters.
Figure 6. Ransomware was observed in over 200 territories
In the US, Cerber registered the biggest number of encounters. Cerber was so big in the US that 27% of all encounters in the world were recorded there. Locky, the other major ransomware discovered in 2016, was the second most widespread ransomware family in the US.
Italy and Russia show a different picture with older versions of ransomware being more prevalent. In Italy, Critroni, a ransomware that has been around since 2014, was the most prevalent. When Critroni first came out, its ransom note was in both English and Russian. Newer versions have added more European languages, including Italian.
Troldesh, discovered in early 2015, was top in Russia. After encrypting files, Troldesh modifies the desktop wallpaper to show a message in both Russian and English. It asks victims to email the attackers for payment instructions.
Figure 7. Countries with the most ransomware encounters—US, Italy, Russia, Korea, and Spain—are affected by different ransomware families, possibly as result of localized campaigns
Conclusion: an evolving menace requires evolving solutions
Even though there is a dip in overall ransomware encounters, a look at the attack vectors, the number of unique families released into the wild, and the improvements in malware code reveals that we have not seen the end of this multi-component threat.
Microsoft has built and is constantly enhancing Windows 10 to arm you with protection components built directly into the operating system itself.
Preventing ransomware infections
Most ransomware infections begin with email messages that carry downloader trojans. This is the primary vector that cybercriminals use to install ransomware. Office 365 Advanced Threat Protection has machine learning capability that blocks dangerous email threats, such as the millions of emails carrying ransomware downloaders that spam campaigns send.
Some ransomware arrive via exploit kits. Microsoft Edge can protect against ransomware by preventing exploit kits from running and executing ransomware. Using Microsoft SmartScreen, Microsoft Edge blocks access to malicious websites, such as those hosting exploit kits.
Device Guard can lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing ransomware and other dangerous software from executing.
Ransomware authors may be some of the most prolific malware creators, introducing new families and continuously updating existing ones. They can also get creative in exploiting attack vectors to install ransomware in your computer.
Windows 10 helps to immediately detect ransomware attacks at the first sign. Windows Defender Antivirus helps detect ransomware, as well as the exploit kits and trojan downloaders that install them. It uses cloud-based protection, helping to protect you from the latest threats.
Windows Defender Antivirus is built into Windows 10 and, when enabled, provides real-time protection against threats. Keep Windows Defender Antivirus and other software up-to-date to get the latest protection.
Responding to ransomware attacks
Windows Defender Advanced Threat Protection (Windows Defender ATP) alerts security operations teams about suspicious activities. These include alerts for PowerShell command execution, TOR website connection, launching of self-replicated copies, and deletion of volume shadow copies. These are behaviors exhibited by some ransomware families, such as Cerber, and could be observed in future ransomware.
Windows Defender ATP can be evaluated free of charge.
Even more protection in Windows 10 Creators Update
On top of these existing protection features, more security capabilities will be provided with Windows 10 Creators Update. These include Windows Defender Antivirus and Office 365 integration to create a layered protection that can help to further shrink email as an attack surface.
Windows Defender Antivirus will strengthen context-aware detections and machine-learning capabilities that detect behavioral anomalies, providing detection capabilities at many points in the infection chain. Better integration of threat intelligence further provides faster blocking against delivery campaigns.
Windows Defender ATP will enable security professionals to isolate compromised machines from the corporate network, stopping network outbreaks. The update will also provide an option for security professionals to specify files for quarantine and prevent subsequent execution.
The threat of ransomware may not be going away soon, but Windows 10 will continue to improve and provide enhanced protection against this vicious threat.