Ransomware still a threat to business, F-Secure warns

Ransomware attacks grew in volume by more than 400% in 2017, compared with the previous year mainly due to the WannaCry cryptoworm, but there has been a shift in how cyber criminals are using the malware, a report by security firm F-Secure shows.

Ransomware evolved as a threat considerably during 2017, The changing state of ransomware report warns.

Prevalent threats during the year included established ransomware families like Locky, Cryptolocker, and Cerber. But it was WannaCry that emerged as the most frequently seen ransomware threat in 2017, accounting for 90% of ransomware reports by the end of the year.

WannaCry remained active in the latter half of 2017, with the majority of F-Secure’s detection reports coming from Malaysia, Japan, Columbia, Vietnam, India, and Indonesia.

A total of 343 unique families and variants of ransomware were discovered in 2017, an increase of 62% over the previous year, the report said.

But while the WannaCry ransomware family remained prevalent in the second half of 2017, the use of other ransomware by cyber criminals seemed to decline, the report notes.

“This points to amateur cyber criminals losing interest in ransomware,” said Sean Sullivan, security adviser at F-Secure. “After the summer, there was a noticeable shift away from the kind of ransomware activity that we’ve seen in the past year or two.”

The past couple of years saw cyber criminals developing lots of new kinds of ransomware, said Sullivan, but that activity tapered off after last summer.

“So it looks like the ransomware gold rush mentality is over, but we already see hard core extortionists continuing to use ransomware, particularly against organisations because WannaCry showed everyone how vulnerable companies are.”

“We already see hard core extortionists continuing to use ransomware, particularly against organisations because WannaCry showed everyone how vulnerable companies are”

The report notes that while there were signs of ransomware declining as 2017 closed, there is also evidence suggesting that ransomware use will gravitate to more corporate focused attack vectors, such as by compromising organisations via exposed RDP [remote desktop protocol] ports.

The SamSam ransomware family is known to use this approach. SamSam was reportedly used to infect the US city of Atlanta’s IT systems in March, which cost the city more than $2.6m to remediate, after the city authorities refused to pay the $50,000 ransom demand.

According to Sullivan, there are several factors that are contributing to the apparent change in how ransomware is being used.

“The price of bitcoin is probably the biggest factor, as that’s made illicit cryptocurrency mining [known as cryptojacking] a lot more attractive and arguably less risky for cyber criminals.

“I also think revenues are probably falling as awareness of the threat has encouraged people to keep reliable backups, as has skepticism about how reliable criminals are on delivering their promises of decrypting data.

“But cyber criminals will always try to pick low hanging fruit, and they’ll return to ransomware if the conditions are right.”