Ransomware ‘Gold Rush’ Looks Finished, but Threat RemainsA new F-Secure report finds that ransomware attacks exploded in 2017 thanks to WannaCry, but a decline in other types of ransomware signals a potential shift in the malware’s use by cyber criminals.
Helsinki, Finland – May 2, 2018: Ransomware attacks grew in volume by over 400 percent in 2017 compared with the previous year. F-Secure attributes this growth to the WannaCry cryptoworm in a new report, but notes that other ransomware attacks became less common as the year progressed, signaling a shift in how cyber criminals are using the malware.
The Changing State of Ransomware report finds that ransomware evolved as a threat considerably during 2017. Prevalent threats during the year included established ransomware families like Locky, Cryptolocker, and Cerber. But it was WannaCry that emerged as the most frequently seen ransomware threat in 2017: the notorious cryptoworm accounted for 9 out of every 10 ransomware detection reports by the end of the year.
But while the WannaCry ransomware family remained prevalent in the second half of 2017, the use of other ransomware by cyber criminals seemed to decline. It’s a phenomenon that F-Secure Security Advisor Sean Sullivan says points to amateur cyber criminals losing interest in ransomware.
“After the summer, there was a noticeable shift away from the kind of ransomware activity that we’ve seen in the last year or two,” said Sullivan. “The last couple of years saw cyber criminals developing lots of new kinds of ransomware, but that activity tapered off after last summer. So it looks like the ransomware gold rush mentality is over, but we already see hard core extortionists continuing to use ransomware, particularly against organizations because WannaCry showed everyone how vulnerable companies are.”
The report notes that while there were signs of ransomware declining as 2017 closed, there’s also evidence suggesting that ransomware use will gravitate to more corporate focused attack vectors, such as by compromising organizations via exposed RDP ports. The SamSam ransomware family is known to use this approach and has already infected several US-based organizations this year, including the city of Atlanta’s IT systems in a recent attack.*
Other significant findings in the report include:
- WannaCry, followed by Locky, Mole, Cerber, and Cryptolocker were the most prevalent ransomware families in 2017
- Ransomware attacks in 2017 increased by 415 percent compared with 2016
- WannaCry remained active in the latter half of 2017, with the majority of F-Secure’s detection reports coming from Malaysia, Japan, Columbia, Vietnam, India, and Indonesia
- 343 unique families and variants of ransomware were discovered in 2017, an increase of 62 percent over the previous year
- With the exception of WannaCry, new and existing ransomware use seemed to decline toward the end of the year
According to Sullivan, there are several factors that are contributing to the apparent change in how ransomware is being used. “The price of bitcoin is probably the biggest factor, as that’s made crypto mining a lot more attractive and arguably less risky for cyber criminals. I also think revenues are probably falling as awareness of the threat has encouraged people to keep reliable backups, as has skepticism about how reliable criminals are on delivering their promises of decrypting data. But cyber criminals will always try to pick low hanging fruit, and they’ll return to ransomware if the conditions are right.”
Ransomware: How to Predict, Prevent, Detect & Respond
Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With unsurpassed experience in endpoint protection as well as detection and response, F-Secure shields enterprises and consumers against everything from advanced cyber attacks and data breaches to widespread ransomware infections. F-Secure’s sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs for a singular approach called Live Security. F-Secure’s security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 broadband and mobile operators and thousands of resellers.
Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.
F-Secure media relations
+358 40 637 8859
Latest Press Releases
F-Secure’s new research project uses inspiration from nature to take AI where no machine has gone before.
The evaluation is the first to assess F-Secure’s newly-formed consultancy unit.
F-Secure continues to drive safe IoT for consumers, bringing order to chaos in a fragmented connected home world.
MITRE ATT&CK evaluation confirms F-Secure’s industry-leading capabilities in detecting advanced attacks
The results establish F-Secure’s EDR technologies as a rock-solid foundation for building comprehensive detection and response capabilities, going beyond MITRE’s framework.