Business ransomware detections increased by 365% in the past year, dominated by Ryuk and Phobos which increased 88% and 940% respectively, a report on cyber crime trends reveals.
GandCrab and Rapid ransomware attacks on businesses also increased in the past year, with Rapid up 319% and GandCrab up just 5%, showing a slowdown in growth.
These increases in business detections show that cyber criminals are searching for higher return on investment (ROI) as consumer detections decreased by 12%, according to the ransomware-focused report by security firm Malwarebytes.
This shift is significant, the researchers said, in the light of the fact that in the last quarter of 2017, consumer detections were up 55% and business detections were up only 2%.
The report notes that cyber criminals can reap “serious benefits” from ransoming organisations over individuals, who might yield, at best, a few personal files that could be used for extortion or identity theft.
Encrypting sensitive proprietary data on any number of endpoints allows cyber criminals to make much larger ransom demands with an “exponentially higher chance” of getting paid, the report said.
The US is at the top of the ransomware rankings (53% of all detections), followed by Canada (10%) and the UK (9%), which is ranked third for the most ransomware detections globally in the past year, for both businesses and consumers.
Within the UK, the most ransomware detections were in Manchester, followed by Royal Kensington and Chelsea, Reading, Harrow and Leeds.
Ransomware and other forms of cyber extortion are currently the most popular forms of cyber criminal activity in the UK, Rob Jones, director of threat leadership at the National Crime Agency (NCA), told Computer Weekly in a recent interview.
Ransomware makes a comeback
Despite a seeming lull in ransomware after the peak in 2017, the report said this threat has come back to life in a big way, switching from mass consumer campaigns to highly targeted attacks on businesses.
“Cyber criminals looking for a bigger bang for their buck have been busy exploiting weak infrastructure and poorly constructed operational security to encrypt business-critical data for larger payouts, and organisations have been largely caught with their virtual pants down,” the report said.
Ransomware attacks featuring targeted campaigns against cities and municipalities, like those experienced in Baltimore, Florida and Georgia, have increased in frequency, the report notes, especially since the beginning of 2019.
Ransomware families such as Ryuk and RobinHood are mostly to blame, though SamSam and Dharma also made appearances, the report said, adding that recovery from those attacks has been slow and painful, with critical infrastructure a problem.
“Healthcare and education, two industries also plagued with legacy infrastructure, were also targets,” the report said.
From December 2017, ransomware threat actors have attacked organisations in these sectors, the report said, probably due to legacy infrastructure, outdated hardware and software applications, and lack of security funding.
Looking to the future, the researchers predict that so-called “manual” ransomware infections that take advantage of already-breached networks will increase, allowing for attackers to disable security tools and launch ransomware on their own.
The researchers also expect to see a rise in ransomware attacks that blend downloaded threats from a command and control (C&C) server with worm-like functionality that allows it to spread, as well as Trojan elements that allow it to go unnoticed on organisational networks.
Ransomware is expected to continue partnering with other malware families, email attacks are expected to develop to take advantage of technical as well as human vulnerabilities, and ransomware attacks against consumers are expected to virtually disappear.
“Attackers will increasingly target critical infrastructure, recognising that disrupting publicly controlled, essential networks will likely result in a higher chance of payment.
“Ransom against consumers will be replaced with a flood of adware and other malware designed to hijack attention and processing power,” the report said.
Businesses need to continue to take the ransomware threat seriously, with business ransomware increasingly dominating, the report concludes, adding that despite the success of new ransomware threats that use advanced technology and sophisticated attack vectors, older families such as Cerber and Locky could continue to cause damage.
“We need to expand our methods of prevention, detection, remediation and recovery from these attacks beyond what we did in the past,” the researchers said.
Read more about ransomware
- Vectra 2019 Spotlight report shows recent ransomware attacks cast a wider net to ensnare cloud, datacentre and enterprise infrastructures.
- Despite a global decrease in the volume of malware in the past year, ransomware is surging once again, and the UK is one of the worst-hit countries, a report reveals.
- St John Ambulance’s response to ransomware attack demonstrates that it is possible to ensure minimal disruption if properly prepared.
- Security researchers are warning that a recently discovered type of ransomware is now exploiting a zero-day Windows vulnerability, and does not require user interaction to trigger an infection.