2018: A Reverse-Course for Ransomware
By Mollie MacDougall
The overall number of ransomware campaigns and active families has declined precipitously in 2018 as compared to last year, almost certainly due to multiple deterrents and a better alternative for profit-minded hackers. This reverse-course in ransomware trends follows years of sustained growth in the number of ransomware families and unique campaigns. Still, ransomware attacks make headlines and will likely continue into next year.
An Astounding Drop
The number of ransomware families that Cofense Intelligence™ identified as distributed in mass-phishing campaigns plummeted in 2018 as compared to 2017. Figure 1 below details the top 12 ransomware families seen in mass-phishing campaigns. Contrast that with Figure 2, and it becomes clear that threat actors’ investment in ransomware has declined substantially, reversing the upward trend of the previous few years.
Figure 1: Top 12 ransomware families appearing in mass-phishing campaigns in 2017
Figure 2: Only five ransomware families appeared in mass-phishing campaigns thus far in 2018
The Downside to Ransomware Today
Multiple factors have almost certainly tempered ransomware operations. First, the dominance of ransomware attacks and headlines in the news last year—especially with WannaCry and NotPetya—likely led to an increased prioritization by law enforcement to prevent them. This has led to an improvement in Bitcoin transaction tracking and disruption in ransomware operator infrastructure. Such consistent disruption in infrastructure also likely explains the large number of unique ransomware families identified in 2017. Many would appear and would become prolific for only a couple of months before disappearing for good.
Such disruption makes operating ransomware very costly for threat actors, who constantly must change infrastructure and reinvent their operations. With major attacks making headlines, users likely became more educated in the importance of backups and enhanced protection against ransomware. Furthermore, news articles often carried stories of ransom payments not resulting in successful decryption and file restoration, making people less likely to pay ransomware operators and making the ransomware business less lucrative.
Moreover, improved technology has strengthened another barrier to ransomware operations, with AV vendors focused on better identifying, stopping, and rolling back changes made by ransomware.
Cryptomining: A Better Alternative for Hackers
Threat actors looking to generate revenue through cyber operations have most likely turned to cryptomining, based on the direct inverse relationship between rates of ransomware and cryptomining activity. By furtively placing mining software on compromised computers, threat actors can use their victim’s processing power to generate income in a more covert manner—especially if the threat actors do not draw significant processing power from any single compromised host.
Cofense Intelligence has seen phishing campaigns that deliver cryptocurrency mining software. Threat actors can control the mining application instructions to a compromised host, including what mining pool it would participate in, the appropriate wallet address to send successfully-mined credit, and various runtime variables such as the maximum CPU usage an application should use for mining. To be clear, these cryptominers are not in and of themselves malware; however, they illicitly use a victim’s computing resources to participate in a very resource-intensive process to generate currency for the operators.
Cryptomining software is delivered via phishing less than ransomware used to be—likely due to the success it finds in browser-based activity. It will likely remain popular for the foreseeable future. Given its covert nature, it is also less likely to provoke disruptive infrastructure take downs, and cryptocurrency—while often volatile—continues to be lucrative.
2018’s Ransomware ‘Highlights’
Today, two types of ransomware dominate the landscape—those used in very targeted campaigns, such as SamSam, and more commoditized families that cast a wide net and depend on high volume, rapid proliferation and constant maintenance for success, such as GandCrab and Sigma.
Ransomware-as-a-Service helps other criminals infect as many victims as possible, while the primary operators take a percentage of any ransoms paid. These attacks appear on the decline as compared to previous years. However, with both GandCrab and Sigma we have seen a constant release of updated versions, which demonstrates a strong determination by their operators to stay in the game.
This year, more targeted attacks have dominated the news cycle. These attacks appear focused on organizations deemed more likely to pay large ransoms. Often, such targets include local governments, hospitals, transportation, and businesses that cannot survive offline.
The most notable targeted ransomware attack this year was against the City of Atlanta. In March, Atlanta was infected with SamSam ransomware and a ransom of $51,000 worth of Bitcoin was demanded. In the end, this attack is estimated to have potentially cost Atlanta upwards of $17 million according to the Atlanta Journal Constitution.[i] Additional 2018 ransomware victims have included the Colorado Department of Transportation, Bristol Airport in the United Kingdom, an Indiana hospital, and a medical practice management software provider.
What You Can Do
The price tags on this year’s attacks highlight the ongoing threat posed by ransomware. Most of the attacks were targeted, proving the importance of vigilance, preparedness, and ongoing security awareness. Phishing is the most common delivery mechanism for ransomware. Learn how Cofense PhishMeTM trains users to spot and report all types of active phishing threats.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.