If you’ve been following the news, you know that the new ransomware, WannaCry, has crippled organizations and end users across the world. Within several hours, WannaCry infected tens of thousands of computers in more than 99 countries and in 27 languages. This attack was so impactful that Microsoft took the rare step of releasing a patch for previously retired versions of Windows operating systems. Even though the initial WannaCry attack was halted the same day that it launched, stronger variations that lacked the weakness of the original version started springing up within just two days.
The number of ransomware attacks grew exponentially in 2016, and even more growth is expected in 2017. This drastic increase in ransomware attacks is a result of new variants with self-propagation features, which allow them to spread unassisted from system to system (WannaCry had this feature), as well as the availability of inexpensive, customizable tools—such as ransomware as a service (RaaS)—that allow relatively unskilled criminals to get in on the action. But the biggest reason for the increase in these attacks is that they work.
According to NSS Labs’ CAWS cyber threat protection platform, TeslaCrypt was the most prevalent type of ransomware in 2016. Since its developers decommissioned TeslaCrypt, there has been a drastic shift towards Cerber, accounting for 82% of the ransomware captured by CAWS in the first four months of 2017. Locky is another well-known type of ransomware, but many other lesser known flavors of ransomware are beginning to surface, with various themes and operating models. These are a few interesting variations of ransomware that demonstrate the growing creativity of its developers:
The vast majority of ransomware attacks are spread by email through malicious links or attachments; however, ransomware can come through several other vectors, including compromised websites, browser exploit kits, infected file downloads, or mobile app downloads. Although most ransomware attacks are opportunistic, there is a growing trend toward targeted attacks against organizations. One of the most popular tactics are emails that appear to be from a company’s human resources department, pertaining to an employee’s pay or benefits that contain an infected link or attachment.
NSS Labs will continue to track these as well as other ransomware variations that develop, so check back on our blog for updates. For real-time validation of how well your existing security controls are holding up against cyberthreats that are active in the wild, including ransomware, check out NSS Labs' CAWS Cyber Threat Protection Platform.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.