Ransomware notes from by the FBI:
- Hackers are earning north of $70,000 a month on ransomware. [August 2016]
- 259% increase in ransomware from exploit kits in about six months! [Malwarebytes LABS, August 2016]
- Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses associated with these ransomware incidents totaling over $18 million.
- Within one day of its release, a computer security company estimated that their spam systems blocked more than 5 million e-mails associated with the Locky ransomware variant.
- In January 2016 10,000 ransomware infections were detected per week. By March 2016 (when Locky emerged) 20,000 infections were being detected per week.
- Flash accounts for 80% of all successful drive-by-download exploit attempts. [Cisco, 2016]
- There are over 100 different variants of ransomware with varying characteristics. [August 2016]
Ransomware started as an issue for individual users. Attackers now have a different goal as they are going after companies as well as individuals. These criminals have created a business in crime with their corporate attacks. Even with the complexity of cyber security, firewalls, antivirus, and intrusion prevention systems offer little to no protection. Ransomware encrypts the files on a workstation as it attempts to navigate the network to locate more computers to infect. Many people are now aware of Ransomware because of headlines about hospitals and police departments who had to pay cybercriminals to decrypt their files. Hackers continually update the themes of ransomware. Some of the topics include the Internal Revenue Service, President Obama, and the FBI. This is part of the intimidation tactic to encourage the payment of the ransom. The FBI warns that many of those who pay the ransom will more than likely become corrupted again if there is no change to their computing environment. With the rise in outbreaks that threaten many US businesses, the FBI and the US Secret Service have partnered to provide information and mitigation approaches to private industry along with the US Government.
Ransomware definition from US-CERT:
Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network.