FacebookTwitterLinkedIn

Ransomware: Neither gone nor forgotten

With WannaCry, NotPetya, and Bad Rabbit outbreaks making international headlines 2017 was often referred to as the year of ransomware. The term ransomware was discussed around offices and lectures halls. For a period it was deemed to be enemy number one within the InfoSec community. A year is a long time in digital terms and ransomware may no longer hold that notorious spot any longer. 2018 may be the year of crypto miners, with such attacks been the most detected by security firms including Imperva. Although ransomware may be dethroned is it truly on the way out? Or has it adapted and evolved?

For a period of time ransomware made a real nuisance of itself, particularly for industry and companies. Locky ransomware caused major disruptions at a hospital while the Cerber ransomware was offered by enterprising individuals as a “Ransomware as a Service (RaaS).” Despite these incidents, ransomware detections by security firms decreased steadily. This decline has been so significant that it led those working at Kaspersky Labs to state the threat was “rapidly vanishing.” In a report published by the firm, analysts noticed a 30 percent decline in ransomware attacks between April 2017 and March 2018 compared with the same period the previous year.

Researchers and McAfee Lab also published a report in which researchers noticed a 32% drop in ransomware detections. It is interesting to note that while ransomware detections are down detections in crypto mining malware were up by an astronomical 1,189% in the first quarter of this year alone. While crypto miners saw a massive jump hackers were also increasingly making use of LNK shortcuts to deliver malware rather than by using PowerShell. The use of PowerShell dropped by 71% while the use of LNK shortcuts rose by 24%. These stats certainly indicate a major decline in the use of ransomware strains and a massive increase in crypto miners.

ransomware neither gone nor forgotten

One of the reasons for the decline in ransomware can be directly attributed to the rise in popularity of crypto miners. There are a few reasons for this, one being that they are simply a less risky means of illicitly making money. Cryptocurrency mining malware works by infecting a victims PC or mobile device with malware which uses the CPU to mine cryptocurrency without the victim’s knowledge. It is far stealthier than ransomware, the bonus of not having to actually attempt to receive a ransom payment from a victim. It is also able to provide the cybercriminal with a far steadier stream of income.

Is ransomware doomed to obscurity?

Given the shift in popularity from ransomware to crypto miners one can be forgiven for thinking that ransomware is down and out. The truth, however, may not be so simple. While, yes there is a significant decline in ransomware detections ransomware still remains a threat. A ransomware attack on the city of Atlanta proves that. The attack which led to data been encrypted and the shutdown of certain services cost the city an estimated 2.6 million USD. It is important to note that the city never paid the ransom but the costs were associated with recovery of data and service downtime. The Atlanta attack was as a result of the SamSam ransomware which has been seen in the wild since 2015.

In that attack the threat actors didn’t use the traditional infection method of trying to infect as many computers as possible in the quickest time, such techniques are often called “spray and pray”. Rather it appeared that the attackers target the City of Atlanta as it was vulnerable. This tactic would appear to be more successful. In January of this year, a hospital paid approximately 55,000 USD in Bitcoin when their systems were infected.  In the case of a targeted attack, the attacker can see that the entire network may be vulnerable making it easier to bring an entire organization to its knees in the hope of better securing a ransom payment. This shift in tactics means that ransomware is still a threat to organizations, in particular, those with outdated cybersecurity protocols.

Enter GandCrab

If ransomware is dead some hackers never got the memo. In April Fortinet published a report in which it detailed their analysis of GandCrab, another ransomware seen in the wild. Initially, the first versions of the ransomware were detected in January. Since the initial detections, the malware authors shifted their business model and offered GandCrab as part of an affiliate “business” model. Since the shift, the malware has received a near constant stream of updates. The latest version was seen been distributed in a spam email campaign. There is obvious interest in GandCrab as it would appear that the creators are continually patching and fixing bugs in a similar way to how a software company would.

With all things considered despite ransomware not being the popular kid in school anymore, it cannot be written off. Ransomware variants both older, like SamSam, and newer like GandCrab pose very real threats. By changing tactics from “spray and pray” to a more targeted approach it would appear that hackers using such techniques seem to have matured along with the malware they create and deploy. In more targeted attacks it would seem that attackers have a greater chance of receiving a ransom payment. Further, by looking to target an organization dependent on their network, like a hospital, they force the question of to pay or not to pay far more effectively than previously seen.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal