In its latest quarterly IT threat evolution report, Kaspersky Lab has reported that encrypting ransomware infections doubled in Q3 2016. This is a significant acceleration in the number of users encountering ransomware. Kaspersky claims the increase in attacks is due to a surge in the number of ransomware modifications they have seen.
In the quarterly report Fedor Sinitsyn, ransomware expert at Kaspersky Lab said: “Crypto ransomware continues to be one of the most dangerous threats, both to private users and to businesses. The recent jump in the number of attacked users may have been provoked by the fact that the number of modifications of ransomware we detected in Q3 – more than 32,000 modifications – was 3.5 times more than in Q2.
“This may be due to the fact that security companies nowadays invest a lot of resources into being able to detect new samples of ransomware as fast as possible. Criminals must therefore avoid detection by creating more new modifications of their malware.”
Security vendors offering tools to counter some ransomware
What is interesting is the top 10 list of cryptor families. It includes Locky at number 2 (9.62% of attacks), TeslaCrypt at number 4 (1.44%) and Shade at number 5 (1.10%). This are ransomware families for which several security vendors have solutions. Additionally the NoMoreRansomware consortium has free tools to unlock certain ransomware. These are available from its website.
The fact that users are still being attacked by and presumably paying ransomware for which there are solutions is no surprise. Most of the security teams in large organisations are struggling to contain other threats. Keeping a track of solutions is becoming increasingly hard for them.
This is where cloud vendors and ISPs could do more. There is nothing to stop them detecting the key indicators of a ransomware attack on their networks. Many of the security vendors make that data publicly available. Once they detect a call to a Command and Control server they could inform the customer of what they have seen. Where there is a free decryptor they could make that available to the infected customer. This is the sort of free service that will drive business to them and help them improve the security of their networks.
Kaspersky sees distributors spreading multiple ransomware
Kaspersky has seen an increase in the number of distributors sending out multiple Trojans to infect machines. This is shown by the use of the same email address to communicate ransom demands to their victims.
Part of the reason for this is an increase in distributors. Ransomware creators have actively recruited over the last year. Many offer payment schemes where the greater the number of infections the higher the reward. This will have encouraged distributors to try and repeat infections with multiple pieces of ransomware to increase their own revenue.
Conclusion
Ransomware continues to grow as a threat. As fast as security companies managing to decode some of the families, new ones appear. This will continue to be a growing source of revenue for creators and distributors for some time to come.