The ransomware market & attacks in the first half of 2018

According to most statistics, ransomware attacks decreased almost 30% over the past 12 months. Apparently, good news, but there’s a catch, as the “market” has more room for even more sophisticated ransomware variants. It is exactly what happened, the number of attacks dropped, but the level of complexity among the new variants increased.

Many factors influenced the ransomware market’s decline, including overexposure, awareness, the refusal of many victims to pay and others. The numbers are, of course, only one face of the market, while the other turns out to be even more frightening. Massive ransomware campaigns, like WannaCry, Cerber and Locky raised the awareness of the users, making the entire ransomware business somehow unprofitable at this scale in relation to the efforts needed for distribution. This is one reason targeted attacks increased, and ransom demands decreased, according to Symantec’s ISTR report. Attacking specific businesses and demanding a “fair” amount of money turned out to be more profitable for the cybercriminals. However, targeted attacks are more difficult, and so the need to develop more sophisticated ransomware became quite evident.

In the last year or so, the number of ransomware families also dropped 71%, according to Symantec, but the number of variants increased 46%, along with their technical complexity. New distribution methods and techniques were developed, bundling the ransomware in very capable and complicated vulnerability exploiting kits, making them even more dangerous than the previously released variants. Cybercriminals without extensive developer skills also gained access to ransomware bundles, using an illegal and “underground” service, which delivered them everything they need for an attack in a few easy clicks. It’s called RaaS (ransomware as-a-service). This phenomenon contributed to the decline of the ransomware families and the increase of the variants, as there was no need to develop new families, but re-use and continuously improve the existing ones.

Malwarebytes reports similar results, a decrease in massive consumer and business attacks, ranking them fifth in the malware hierarchy, but highlighting that businesses and organizations are most likely the targets of choice for future ransomware campaigns.

March 2018 – SamSam ransomware

The City of Atlanta (Georgia) was hit by a massive ransomware attack, affecting many services and programs, as they were shut down. Online services for citizens to pay bills and request utility services were replaced with paper, because of the extent of the attack. An audit found 1500 to 2000 vulnerabilities in the system. Recovering from this attack was and still is expensive, costing the city $17 million (https://www.scmagazine.com/atlanta-ransomware-recovery-cost-now-at-17-million-reports-say/article/786184/)

March 2018

Finger Lakes Health in Geneva, N.Y., was unable to access their servers, computers, and files because of an unidentified ransomware attack. They also turned to paper. They failed to recover their data despite the involvement of the FBI, and to minimize downtime and patient inconvenience, the officials decided to pay the ransom, which was 4 BTC according to some sources. In March 2018, the value of 4BTC was around $28.000. (https://www.cybersecurity-insiders.com/finger-lakes-health-pays-ransom-to-avoid-ransomware-attack-repercussions/)

March 2018 – SamSam ransomware

The Colorado Department of Transportation was struck two times in two weeks by different variants of SamSam, bringing down all operations. CDOT was still recovering from the first attack when the second one came shortly after. Authorities said that the countermeasures implemented after the first strike, to prevent such a thing from happening again, didn’t work because the ransomware “morphed into something ahead of their tools”. Estimated recovery costs: $1.5 million. (https://www.denverpost.com/2018/04/05/samsam-ransomware-cdot-cost/)

April 2018

The City of Leeds (Alabama) was attacked by an unknown ransomware variant, taking down their operations. Fire and police departments were also affected. Authorities managed to negotiate, and $8000 were paid to the criminals to recover their data. (https://www.al.com/news/index.ssf/2018/03/leeds_hit_with_ransomware_atta.html)

May 2018

Roseburg Public School’s website, email and other software were brought down after a ransomware attack. Years’ worth of data was lost. The authorities decided to pay the ransom in this case as well. The cost of the attack, including the ransom and recovery operations, was never published, but according to the officials, they were prohibitive. (https://kpic.com/news/local/ransomware-attack-freezes-roseburg-public-schools-computers)

June 2018

A ransomware variant hit Jefferson Town (Ohio) and two other entities. Details about the variant were not disclosed and no ransom was paid. The affected computer was used primarily for finances. In this case, all the data was previously backed up, so no data was lost. (http://www.govtech.com/security/Ransomware-Misses-Mark-in-Ohio-Town.html)

July 2018 – BitPaymer ransomware

The BitPaymer ransomware has attacked a borough and a town in Alaska. The aftermath was so devastating, that it forced the employees to use typewriters and hand receipts. The pool, libraries, animal care, landfill, collections, web services were affected during the attack. (https://mashable.com/2018/08/02/malware-alaska-town/?europe=true#x7IR.ASOSOqg)

July 2018

An unknown ransomware rendered inoperable all communication systems of a Chinese shipping company at the Port of Long Beach (California). Their website, email and phone number were down. Fortunately, logistics were not affected, but COSCO employees had to use Yahoo email accounts and Twitter to communicate. (http://techgenix.com/cosco-ransomware-attack/)

August 2018

Coweta County’s computers were hit by a ransomware, affecting local public safety systems and communications. The attack compromised the majority of their servers, and they were shut down during the investigations and recovery. They also reverted to manual record-keeping systems. (http://times-herald.com/news/2018/08/county-computers-hit-by-ransomware)

Conclusion

Although worldwide the number of massive ransomware attacks decreased, the targeted business attacks increased. Ransomware evolved exponentially in the last year, becoming complex hacking tools, automatically spreading across networks, exploiting vulnerabilities and poorly secured systems and services. Even though many companies and government contractors did their very best to prevent such incidents, they happened and continue to happen to this date, bypassing traditional anti-malware solutions, making use of advanced techniques to avoid detection.
There are countless reports where backups and conventional anti-malware solutions were just not enough, which clearly proves that dedicated anti-ransomware must be implemented, primarily by businesses, to help prevent data loss and downtime.

How we can help

Our dedicated solution, TEMASOFT Ranstop, is an anti-ransomware software software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss. TEMASOFT Ranstop is at the core of any multi-layered security strategy designed to protect against ransomware.

For more information, follow us on social media and subscribe to our newsletter.