2016 saw a rapid rise to prominence of ransomware, with estimates of $1 billion in proceeds going to ransomware threat actors making it a major crime activity. I’ve written before about ransomware (here, here and here) – this post looks at interesting recent developments.

Approximately 40% of spam emails now contain ransomware attacks. Ransomware infections rely on exposing their presence in order to coerce the victim into paying the ransom, whereas other malware infections such as Remote Access Trojans (RATs), key loggers and botnets, operate with stealth.

Locky, the most prevalent form of ransomware, currently accounts for 5% of all malware infections. Also popular is CryptoWall and the ransomware-as-a-service (RaaS) Cerber. Ransomware spreads mainly through phishing attacks. In fact,  most malware spreading through the phishing vector, is some form of ransomware (97% according to the latest a PhishMe report). Phishing attacks utilise JavaScript, Windows Script, Office macros and HTML applications to trigger the ransomware infections.

A few weeks ago, the San Francisco transport system was taken offline by ransomware, causing widespread disruption of ticketing services.

Ransomware targets both consumers/individuals as well as enterprises, with consumers accounting for 57% of victims. Parents are more likely to pay ransom demands due to the potential loss of children photographs.

Many ransomware variants utilise dynamic pricing models, varying the ransom amount according to the geographical location of the infection, and whether the victim is an individual or an enterprise. Extortion amounts are higher for enterprises and for victims in richer countries. Ransom demands often increase once deadlines have passed. However F-Secure found that victims who negotiate with their attacker can generally haggle a lower ransom price.

Ransomware developers have demonstrated particular ingenuity and creativity in their challenge to infect as many systems as possible and maximise revenues. In order to evade defensive measures, Locky developers have been continually changing the nature of the file delivery system over the past year, bringing out versions of their malware as an Office macro, a JavaScript application, and HTML application (HTA), a Windows Script File (WSF), and a DLL executable. At the same time, Locky developers have enhanced the capability of their attack by including features such as offline encryption and file reversal.

Ransomware developers have also created a method of embedding their malware in image files which are uploaded on social networking sites such as Facebook and LinkedIn. Known as ImageGate, the method exploits a misconfiguration on the social media infrastructure forcing a download of the image. If the user clicks on the file, the ransomware is activated.

Popcorn Time ransomware takes a novel approach to expanding their infection base. The malware informs the victim that they have two options: either pay the ransom, or infect two additional people and get a free decryption key. This is an attempt to create a criminal pyramid scheme network using multi-level marketing techniques. The method is unlikely to be effective – deliberately infecting others is a criminal offence and the average user is likely to leave transparent tracks allowing easy identification by law enforcement.

The No More Ransom project is a repository for victim advice and decryption tools – a kind of “self-help support group” where ransomware victims can hang out. It is a useful initiative by Intel, Kaspersky, the Dutch Police, Europol, Amazon and Barracuda, and others.

Ransomware will continue to dominate throughout 2017 due to the ease with which attackers can monetise an infection. We expect to see increased efforts to evade detection, an increase in the specific targeting of victims with more attacks directed at enterprises and critical infrastructure, and more sophistication of ransomware attacks.