CIS Logo
tagline: Confidence in the Connected World

2016: The Year of Ransomware

By: Katelyn Bailey

Since the beginning of 2015, ransomware infections have been on an upward climb, with no foreseeable slowdown. March, April, and May each broke the record set by the previous month for the highest number of ransomware notifications ever issued by the MS-ISAC, based on our state, local, tribal, and territorial (SLTT) government monitoring. We attribute this continued growth in 2016 to the new-found popularity of ransomware as a money-making enterprise and the strength of the distribution campaigns, as well as ever diversifying tactics, techniques, and procedures (TTPs) by cyber threat actors.
The recent increases don’t follow the traditional pattern of ransomware infections with periods of limited activity followed by periods of high activity. Instead, ransomware infections have been on a continuous and steep increase since October 2015, with no intermittent periods of decreased activity (see chart below). However, of note we believe that this increase is primarily due to opportunistic targeting, and while the media has focused on reporting ransomware cases in particular sectors, no singular SLTT government sector is at a greater risk than any other sector.

MS-ISAC Detected Ransomware Infections Chart

Notable Infection Vector TTPS

The constant influx of new ransomware variants and TTPs feeds into the cycle of increased reporting and interest, both by actors and defenders. It’s likely that this interest also led to the development of new and prolific variants such as Locky, Samas, CryptXXX and Cerber. Just a few of the notable variants and TTPs from the first half of 2016 are outlined below.

  • Ransomware-as-a-Service (RaaS) is a newer technique employed by ransomware authors, first observed in December of 2015. This allows someone with very little know-how about malware, code, or cyber-attacks to conduct a seemingly sophisticated attack. RaaS is designed with a user-friendly platform that allows the attacker to simply pick their victim, set the ransom, input their Bitcoin wallet address, and deploy the malware. RaaS developers take a percentage of the ransom paid to the attacker.
  • Last month, the ransomware variant Locky utilized the Dridex botnet’s distribution channels to find and infect victims. This utilization of an established banking malware’s distribution channels may explain why Locky only took two weeks to become the most prolific ransomware impacting MS-ISAC members in the months of April and May.
  • For the first time in May 2016, there was a recorded incident of Cyber Threat Actors refusing to decrypt files after payment, and instead asking for more money. The private sector entity did not pay the second time (thank goodness!).
  • Beyond encrypting files, a newer variant of Cerber leverages the infected machines for additional nefarious purposes, such as launching distributed denial of service (DDoS) attacks. Cerber is believed to be one of the variants utilizing the RaaS model, and was the second most popular ransomware observed on MS-ISAC monitored networks in the month of May. Cerber also has a creepy text-to-speech component which reads the ransom out loud.
  • Initial versions of CryptXXX had a Bitcoin mining component, but the latest version includes a keylogger for stealing credentials, making it the first popular ransomware to contain an information-stealing component.

We expect that throughout the remainder of 2016 the ransomware threat will continue to increase as more cyber threat actors move into developing and deploying ransomware. The movement to RaaS will only expand this trend as ransomware becomes more available to a broader range of less sophisticated cyber threat actors who are likely to use additional deployment techniques. MS-ISAC recommends taking several steps to reduce your likelihood of becoming a ransomware victim, which are outlined in more detail in the MS-ISAC Ransomware Security Primer.