Ransomware A Two-Year Nightmare in the Making

The scourge of ransomware over the past two years has been impressive – and not in a good way. The number of frustrated computer users locked out of their PCs is at an all-time high with no signs of the ransomware epidemic relenting.

According to security experts, the last two years have seen an astounding growth in the number of people encountering ransomware. Between April 2015 and March 2016 the number of users hit by ransomware rose 17.7 percent worldwide compared to the prior year, according a new report by Kaspersky Lab.

The in-depth report reveals that tactics have changed significantly for ransomware criminals with crypto ransomware now the dominant strain of ransomware versus Windows blocker ransomware, where a user is blocked from accessing their OS or web browser via a pop-up window.

According to Kaspersky Lab, incidents of encryption-based ransomware that locks up data on a PC has risen 25 percent over the past year jumping from 6.6 percent in 2014/2015 to 31 percent the preceding year.  Correspondingly, the number of Windows blocker incidents dropped 13.03 percent, Kaspersky Lab reports.

That shift from Windows blocker to crypto has been particularly detrimental to victims, the Kaspersky Lab reports points out. “The biggest difference between the two types of ransomware: blockers and encryption ransomware is that blocker damage is fully reversible. Even in the worst case scenario, the owner of an infected PC could simply reinstall the OS to get all their files back,” wrote Kaspersky Lab.

In the case of encryption ransomware, files are impossible to decrypt without a decryption key.

For years, ransomware has been a constant, but it wasn’t until July 2014 that Kaspersky Lab noticed a spike in the number of users encountering some form of ransomware. That’s when a surge of 274,000 ransomware incidents were reported worldwide within Kaspersky Lab’s sample set. The contributing factor to the spike was the prevalence of Trojan-Ransom.JS.SMSer.pn, a browser-based Windows blocker variant that attacked 31 percent of those affected by ransomware that month.

For the next several months things got worse and by October 2015, Kaspersky Lab researchers recorded 428,400 ransomware attacks with 9.4 percent crypto based. Fast forward to March 2016 and incidents of encryption-based ransomware now represented 52 percent of attacks with the TelsaCrypt Trojan responsible for most incidents. In April, the most current numbers available, encryption ransomware represented 54 percent of attacks.

Distribution of users attacked with different groups of encryption ransomware in 2015-2016

Distribution of users attacked with different groups of encryption ransomware in 2015-2016 – Kaspersky Lab

Ironically, the fast and furious rise in encryption ransomware is tied to a relatively small group of malware variants that are responsible for 77.5 percent of all crypto infections between 2014 and 2015. “In the first period, from April 2014 to March 2015, the most actively propagated encryptors were the following groups of malware: CryptoWall, Cryakl, Scatter, Mor, CTB-Locker, TorrentLocker, Fury, Lortok, Aura, and Shade,” wrote Kaspersky Lab.

A year later TelsaCrypt and CTB-Locker dominated the encryption ransomware landscape representing 70 percent of those who reported encountering crypto-ranswomware between 2015 and 2016.

Over the last two years ransomware has also shifted who it targets. Two years ago 93 percent of those targeted by ransomware were home users. Today the number of corporate users attacked with ransomware has doubled to 13 percent from 6.8 percent in 2014.

Thinking geographically, hardest hit by the scourge of ransomware is India (10 percent), Russian Federation (6 percent), Kazakhstan (6 percent) and Italy (5 percent) with the highest share of users attacked with ransomware. Within Kaspersky Lab’s top 10 list of countries the United States (1 percent) and Ukraine (4 percent) are at the bottom. Of note, over the past two years India moved from 7th to 1st place in terms of countries targeted by ransomware.

Of interest to the U.S. geography is the fact that 40 percent of ransomware attacks use crypto-based variants versus 14 percent just a year ago. The U.S. is also seeing the third highest percentage increase in year-over-year attacks with the Russian Federation and India experiencing the largest uptick in ransomware attacks.