Ransomware makes a comeback after almost disappearing in Q1
9 August 2018
Earlier this year, the FBI noted in its yearly Internet Crime Report that ransomware attacks in the United States went down markedly in 2017, with the number of reported attacks going down from 2,453 complaints in 2015 and 2,673 in 2016 to a mere 1,783 in 2017.
In May, Ross Rustici, Senior Director, Intelligence Services at Cybereason, wrote in a guest blog for TEISS that even though ransomware attacks peaked alarmingly in 2017, the outbreaks of 2017 represented the crest of the ransomware wave and not a new beginning as the number of ransomware families shrank from 350 in 2015 to 170 in 2017 and shrank further in 2018.
In its Vulnerability and Threat Trends Report, Skybox Security also revealed that the share of ransomware attacks went down from 32 percent in the last six months of 2017 to just 8 percent in the first six months of this year, making way for malicious cryptomining which accounted for 32 percent of all attacks this year compared to just 7 percent in the last six months of 2017.
Ransomware makes an unexpected comeback
However, a new report from Proofpoint has revealed that after a brief lull during the turn of the year, ransomware attacks have returned with a vengeance. The firm’s Q2 2018 Threat Report has revealed that the share of ransomware as a proportion of malicious campaigns has jumped from 1 percent in Q1 to 11% between April and June this year.
The firm observed that new ransomware families such as Sigma, GlobeImposter, and Gandcrab pushed overall ransomware volumes in the second quarter, with Gandcrab accounting for a majority of ransomware attacks in the period. However, the number of ransomware attacks is still nowhere close to 2016 and 2017 levels.
“Ransomware by nature is extremely noisy — for the time being, it appears that threat actors are still favoring malware that can persist on infected machines and potentially generate longer-term value than ransomware. However, the reintroduction of ransomware in Q2, albeit at lower volumes than in years past, suggests that ransomware is becoming a more regular feature of the threat landscape and a standard part of the rotating toolkit employed by threat actors rather than their bread and butter,” the report said.
According to Marcin Kleczynski, CEO of Malwarebytes, ransomware attacks are being carried out by four different groups of cyber criminals, namely traditional gangs, state-sponsored attackers, ideological hackers, and hackers-for-hire.
All these hackers, who form part of the global ransomware mafia, may have different motives, but the impact of their operations is being felt by businesses all over the world, many of whom have been unable to recover following devastating ransomware infections.
Banking trojans continue to rule
Even though the number of ransomware attacks rose during the second quarter, the single-largest cyber threat to organisations and individuals came from banking trojans. According to Proofpoint, even though the rise of ransomware reduced the share of banking trojans by 17 percent, the latter still accounted for 42% of all observed malicious messages in Q2, 17 percent more than downloaders, the next largest category.
Researchers at Proofpoint observed that while the use of Emotet banking trojan fell alarmingly between Q1 and Q2, they observed a rise in the use of new trojans such as Panda and Unizone, with cyber criminals also using the Ursnif trojan as a secondary payload in most banking trojan attacks.