Threat Research Blog

Ransomware Activity Spikes in March, Steadily increasing throughout 2016

UPDATE (June 15, 2016): This post has been updated to include new data on ransomware activity, which is also now broken down by region.

Cyber extortion for financial gain is typically carried out in one of two ways. The first method is a business disruption attack – a category we discussed at length in M-Trends 2016. In this type of attack, threat actors target an organization’s critical business systems, capture confidential data and threaten to do something malicious with that data (such as expose, delete, or encrypt it) unless a ransom is paid. This method is generally more targeted, requires a greater deal of finesse on the part of the threat actors, and often has a greater potential payout.

Ransomware is the other common method of cyber extortion for financial gain. Ransomware is a type of malware that prevents users from interacting with their files, applications or systems until a ransom is paid, typically in the form of an anonymous currency such as Bitcoin. While individual computer and mobile device users have long been targets of ransomware, the threat has expanded. Ransomware has gained publicity in recent months through mainstream media coverage of ransomware attacks against organizations, namely hospitals.

While the end goal is the same – some type of financial payout to the attacker – not all ransomware operates the same way. The file-encrypting variety is perhaps the most dangerous. This is because the targeted files, which often contain users’ or organizations’ most valuable data, become useless without the decryption key. The issue is compounded because paying the ransom offers no guarantee that the files will be unlocked, thus making frequent backups the best defense against ransomware.

Since the average ransom demanded from an individual user is relatively low (typically a few hundred dollars, if that), threat actors distributing ransomware typically follow the “spray and pray” tactic of sending out as many lures as possible – emails with malicious attachments or links to malicious websites, for example – to maximize their potential gains.

Ransomware Spike in March

Based on data from FireEye Dynamic Threat Intelligence, ransomware activity has been rising fairly steadily since mid-2015. We observed a noticeable spike in March 2016. Figure 1 depicts the percentage of ransomware compared to all malware detected on FireEye products from October 2015 to May 2016.

Figure 1: Ransomware detections from August 2015 to May 2016

The spike is noteworthy, and consistent with other observations. In March 2016, FireEye Labs detected a significant rise in Locky ransomware downloaders due to an email spam campaign targeting users in more than 50 countries. The malicious email attachments pretended to contain an invoice or a picture, but opening the attachment led to an infection instead.

Ransomware in the Media

There is no denying the satisfaction an attacker feels when their exploits make the news. For threat actors distributing ransomware, the satisfaction is even greater when the headlines report that the victim paid the ransom. A recent blitz of ransomware reports in the media – as well as the follow-up success stories – may have spurred other attackers to get in on the action, possibly resulting in the March ransomware activity spike. The Petya ransomware, for instance, includes links to recent media articles on its ransom payment page, as shown in Figure 1.

Figure 2: FireEye Threat Intelligence in 2016 uncovered Petya ransomware advertising links to recent media articles on their ransomware payment page

Hollywood Presbyterian Medical Center incident

In early February, Hollywood Presbyterian Medical Center (HPMC) was in the media spotlight after their systems became infected with file-encrypting ransomware. Midway through the month, Allen Stefanek, president and CEO, wrote that staff had trouble accessing the network beginning Feb. 5. He explained that malware locked access to certain computer systems and prevented the sharing of communications electronically, and indicated that a ransom of 40 Bitcoins had been requested (approximately $17,000 at the time).

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek wrote. “In the best interest of restoring normal operations, we did this.” HPMC restored its electronic medical record system and cleared all systems of the malware by Feb. 15.

Continued targeting of hospitals

Attackers may have taken a hint that hospitals are a lucrative target. Later in February, The Register reported that file-encrypting ransomware infected the systems of Lukas Hospital and Klinikum Arnsberg hospital – both in Germany. Then in March, Ars Technica reported that data at Union Memorial Hospital in Maryland – as well as other MedStar hospitals in the Washington, DC area – were encrypted by ransomware, and that the requested ransom was 45 Bitcoins, or about $18,500 at the time.

The targeting of hospitals is no surprise. Cyber criminals have been increasingly turning to industries such as healthcare that possess critical data but may have limited investment in security across their enterprise. With hospitals, budget dollars often go towards surgery wards, emergency care centers and supplies for a large number of patients – not security. This makes for a tricky issue, since hospitals cannot operate without the necessary patient data stored in their systems.

Other Factors Influencing Uptick in Ransomware Activity

High-profile media coverage of ransomware is certainly attracting attackers, but that is not the only factor driving the uptick in activity. The following are some additional factors contributing to the increase:

  • Relatively high profit margins coupled with the relatively low overhead required to operate a ransomware campaign have bolstered the appeal of this particular attack type, fueling market demand for tools and services corresponding to its propagation. For example, in 2015 we observed a small-scale ransomware operation that nevertheless likely netted the perpetrators about $75,000.
  • The success of prolific ransomware families such as CryptoWall has provided a blueprint for aspiring ransomware developers, showcasing increasing profit margins and campaign sustainability. According to the FBI's Internet Crime Complaint Center (IC3), CryptoWall generated identified victim losses totaling more than $18 million between April 2014 and June 2015.
  • The emergence of several new ransomware variants adopting a ransomware as a Service (RaaS) framework since mid-2015, a phenomenon likely driven by the competitive development of quality goods and services within the cyber crime ecosystem. Based on multiple factors, RaaS offerings – which are uniquely poised to capitalize on current underground marketplace demand for ransomware – are highly likely to fuel an increasing number of ransomware infections.
Ransomware Variants

Through this discernible uptick in ransomware activity from mid-2015 to early 2016, FireEye has observed significant growth and maturation of the ransomware threat landscape – predominately involving the proliferation of myriad new variants.

Prolific Ransomware Families

We continue to observe the sustained distribution of multiple, well-established ransomware families used in both geographically targeted and mass infection campaigns. In multiple cases these renowned variants, such as CryptoWall and TorrentLocker, spawned updated variants with improvements in either encryption capabilities or obfuscation techniques. These established ransomware brands will continue to pose a significant threat to global enterprises, as malware functionality, encryption techniques and counter-mitigation measures are adapted and successfully introduced into updated variants. Examples include:

  • TorrentLocker: Throughout 2015, FireEye observed continued distribution of TorrentLocker, a ransomware family based on both CryptoLocker and CryptoWall. According to multiple open-source reports, TorrentLocker has been active since at least early 2014 and is most often distributed in geographically-specific spam campaigns.
  • CTB-Locker: CTB-Locker – a name that represents the key elements of the ransomware, namely Curve (for Elliptic Curve Cryptography), Tor and Bitcoin – was first seen around mid-2014 and remained active throughout 2015. During this reporting period, we observed multiple campaigns propagating CTB-Locker and its variants, including CTB-Locker distributors capitalizing on Windows 10 releases and free upgrades by sending out spam campaigns citing Windows 10 upgrades in mid-2015.

Novel Ransomware Variants

We have also observed several new ransomware variants that incorporate a range of new tactics, techniques and procedures (of varying degrees of technical practicality). Based on the increased growth in this area, we expect ransomware developers to continue equipping ransomware variants with novel features in order to expand targeted platforms and increase conversion ratios.

  • Chimera: The operators behind the  Chimera ransomware not only used the malware to encrypt victims’ files, but further threatened to publish the encrypted data if victims failed to pay the ransom. The threat actors began targeting German-based small and medium-sized business enterprises around mid-September 2015.
  • Ransom32: Ransom32, first publicly reported in late December 2015, is purportedly one of the first ransomware variants based entirely on JavaScript, potentially allowing for cross-operating system (OS) compatibility and packaging for both Linux and Mac OS.
  • LowLevel04: According to open-source reporting, operators of LowLevel04 purportedly spread the ransomware using the unconventional infection mechanism of exploiting Remote Desktop and Terminal Services.
  • Linux.Encoder.1: According to open-source reporting, Linux.Encoder.1 debuted in late 2015 as one of the first ransomware variants targeting Linux web-based servers. While the encryption capabilities of the earliest variants proved to be suspect – with multiple reports alleging faults in its predictable encryption key – the targeting associated with this malware family represents a deviation from more traditional Windows-based attacks.
Outlook and Implications

We expected to see the ransomware threat landscape sustain, if not exceed, levels observed in 2015 – and so far we have been right. Cyber extortion has gained significant notoriety, with illicit profits garnered from highly publicized campaigns undoubtedly resonating among cyber criminals. Recent campaigns in which targeted victims paid the ransom demand reinforce the legitimacy and popularity of this particular attack method.

One of the most worrying threats concerns the targeted deployment of ransomware after the attackers have already gained a foothold in the network. In these cases, threat actors may be able to conduct reconnaissance to strategically disable or delete backups and identify those systems most critical to an organization’s operations before deploying the ransomware. To increase the difficulty of such an attack, enterprises are encouraged to properly segment networks and implement access controls. In addition, enterprises should evaluate backup strategies regularly and test those backups to ensure that recovery is successful. Finally, copies of backups should be stored offsite in case onsite backups are targeted.

Learn more about ransomware during our webinar on May 19, 2016, at 11:00am EDT. You can register here.