2017 was a landmark year for ransomware, with WannaCry and NotPetya grabbing headlines around the world. Ransomware attacks grew by more than 400% over the year, while the number unique families and variants increased by 62%. These statistics, however, disguise an apparent change in the ransomware industry following the summer of 2017.
The figures and analysis come from F-Secure’s upstream telemetry and are published in a new report: The Changing State of Ransomware (PDF). It is the sheer size of the WannaCry outbreak that started in May 2017 that distorts the figures. “While the initial wave of infections was quickly rendered inert with the discovery of an apparent ‘kill switch’,” notes F-Secure, “it did not actually stop the malware from spreading.”
WannaCry spreads like a worm via vulnerable SMB ports, and it will continue to seek to spread unless every single infection is eradicated. In this it is like Conficker, which is still being found in the wild nearly ten years after it was first encountered. Although the WannaCry vulnerability was patched by Microsoft, the malware’s continued incidence around the world shows there is no shortage of vulnerable machines.
By the end of 2017, WannaCry accounted for 9 out of every 10 F-Secure detection reports. Most of these are in Asia and South America, but recent reports of infections in Connecticut and North Carolina show that it can still occur anywhere.
Beneath the dominance of WannaCry, closer inspection of the figures shows that in the latter half of 2017, other ransomware detections declined. Apart from two spikes (Mole in September, and Locky in October), the general trend in new detections is downward.
F-Secure believes there are several reasons for this decline. One is the huge increase in the value of bitcoin and other cryptocurrencies. While bitcoin initially fueled the rise of ransomware through its relative anonymity, it is often a labor-intensive method of collecting revenue — with some criminals even providing ‘help desks’ for their victims.
The huge rise in the value of bitcoin towards the end of last year persuaded criminals to change tactics — instead of extorting cryptocurrencies they are now distributing crypto mining malware to steal users’ CPU cycles to ‘earn’ cryptocurrencies. “This scheme draws considerably less attention than ransomware,” says the report, “and can prove lucrative if cryptocurrencies increase in value.”
But there is another trend hidden by the figures — a move away from mass-distributed spam-delivered ransomware (more likely to affect home computers than corporate computers) towards more targeted attacks against business. WannaCry might again be partly to blame. Firstly, it raised awareness of ransomware among the general public who are now more likely to take better precautions and maintain backups.
But secondly, the propagation method via SMB ports meant the WannaCry outbreak focused primarily on businesses. It demonstrated, suggests F-Secure, that criminals could focus on the quality rather than quantity of targets in the hopes of getting a better payday.
“After the summer, there was a noticeable shift away from the kind of ransomware activity that we’ve seen in the last year or two,” comments F-Secure security advisor Sean Sullivan. “The last couple of years saw cyber criminals developing lots of new kinds of ransomware, but that activity tapered off after last summer. So, it looks like the ransomware gold rush mentality is over, but we already see hard core extortionists continuing to use ransomware, particularly against organizations because WannaCry showed everyone how vulnerable companies are.”
Ransomware is not going away, but it is getting targeted on business. The massive spam delivery campaigns are being replaced by targeted attacks, sometimes using lesser-known ransomwares. “For example,” says F-Secure, “in June 2017 a South Korean web hosting company paid a one-million-dollar ransom to cyber criminals after falling victim to a Linux variant of the Erebus ransomware.”
Average payouts are far less than this, typically ranging between $150 for Jigsaw and $1900 for Cryptomix. This, however, is per decryption. A home user would consequently be extorted, say $400 for decrypting a PC infected with Shade, while a small business with 100 workstations that need decryption would be charged $40,000.
SamSam is a good example of the changing state of ransomware. The SamSam group will typically breach a company network prior to delivering the ransomware and encrypting files. This gives the criminals time to understand the environment, learn what to encrypt for maximum effect, and potentially disrupt any backup and restore capabilities. This seems to have happened this year at Hancock Health.
Hancock Health decided to pay the SamSam ransom even though it could, it thought, have restored its files from backup. “Several days later,” admitted CEO Steve Long, “it was learned that, though the electronic medical record backup files had not been touched, the core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers.”
The City of Atlanta was also hit by SamSam. This is still current. It appears that the city decided not to pay the ransom demand (a little over $51,000); but has so far been forced to spend around $3 million in recovery costs.
Cybercriminals quickly adapt to new conditions and opportunities; but will always go where they can gain maximum income from minimum effort. The two primary themes that came out of the last few months of 2017 are a criminal migration from commodity ransomware to crypto mining, together with the emergence of more targeted ransomware against business.
“The price of bitcoin is probably the biggest factor,” suggests Sullivan, “as that’s made crypto mining a lot more attractive and arguably less risky for cyber criminals. I also think revenues are probably falling as awareness of the threat has encouraged people to keep reliable backups, as has skepticism about how reliable criminals are on delivering their promises of decrypting data. But cyber criminals will always try to pick low hanging fruit, and they’ll return to ransomware if the conditions are right.”