USA +1 813 304 2544 IRL +353 91 54 55 00

Ransomware will continue to evolve in 2017

Ransomware in 2016 Review & What’s ahead for 2017

Ransomware got its start in the late 1980s, but 2016 can rightly be called the year of ransomware. The most famous ransomware attack of 2016 was against Hollywood Presbyterian Medical Center in Los Angeles in March. The hospital paid a $17,000 ransom to decrypt its data.

Some interesting figures :

  • Malwarebytes reports that more than 26% of ransomware attacks blocked by its cybersecurity software were aimed at US users.
  • According to the Federal Bureau of Investigation (FBI), more than $209 million in ransomware payments were made in the US in the first quarter of 2016. This was a 771 percent increase over a reported $24 million for the whole of 2015.
  • Furthermore, attacks on business increased three-fold between January and the end of September. Then In September the FBI announced that there were 100,000 computers infected by ransomware in a single day.
  • It’s hard to believe that ransomware comprises less than one percent of total infections

And most ransomware attacks consumers, not businesses. A recent IBM survey of 600 business leaders in the U.S. revealed that almost half of all businesses have been hit by ransomware. And of those, seventy percent have paid the ransom. In 2015, the average ransom was a few hundred dollars per user. According to the Trend Micro, at the end of 2016 the average ransom was over $700, with 20 percent of organizations reporting demands for over $1300. Even after paying the ransom, Trend Micro has found that one in five organizations never get their data back.

Ransomware can affect any type of computer. It became the biggest cyberthreat on Android devices in the first half of 2016 in the U.S., U.K., Germany, Australia and Denmark. According to Bitdefender, ransomware constituted more than half of the malware detected.

Why has ransomware become such as menace?

There are many reasons for the upswing in ransomware:

  • Bitcoin has become an easier and more accepted form of payment. Attackers prefer a currency that does not involve financial institutions, both for traceability and for international currency purposes. These requirements are met by Bitcoin. Bitcoin transactions are not anonymous but require significant effort to be accurately traced and can even be “laundered” as money is.
  • Attackers want strong encryption to prevent users from recovering files unless they pay a ransom. It is only recently that higher-level encryption technology such as 2048-bit version of the RSA cryptographic algorithm has become more widely available.
  • Asymmetric (public key) encryption is widely available on even the oldest computers in use. Many of the recent generations of ransomware use a combination of symmetric and asymmetric encryption. Symmetric encryption is fast. This is an advantage because it has a higher probability of completing encryption before the infection is discovered. If the victim discovers the symmetric key before encryption is complete, the data can be decrypted. Asymmetric encryption is slower but more secure. Attackers can encrypt the victim’s files rapidly using symmetric encryption and then employ asymmetric encryption to encrypt the symmetric key. As a result, the more secure but slower asymmetric method is needed to encrypt only one file.
  • There is money to be made. Cybercriminals know that it is a lucrative business model. As of December, SamSa ransomware extortionists earned $450K by targeting primarily healthcare organizations.
  • Attackers no longer need to be tech-savvy since most ransomware is available as packaged exploit kits.

Which industries are at the most risk for ransomware?

Some of the most publicized attacks in 2016 involved healthcare, but the problem is more widespread. A new report from BitSight  declares education is the industry most likely to be hit, with 13% of educational organization slammed by ransomware. The report analyzed the cybersecurity performance of nearly 20,000 companies across government, healthcare, finance, retail, education, and energy/utilities.

Ransomware has hit about

  • 6% of government agencies
  • 3.5% of healthcare organizations.
  • The lowest risk was in the financial sector, with only 1.5% of companies affected.

Education is a target for multiple reasons:

The sector tends to have smaller budgets, and thus less up-to-date hardware and software.
Education normally has smaller IT staffs than other industries, so there are fewer software updates and security monitoring.
File sharing both within the institution and with outsiders is high compared with other industries. A BitSight report released earlier this year found that about 58% of academic institutions allowed file sharing on their networks.
Some security analysts believe that schools may be more likely to pay for the information to avoid HIPAA concerns and other regulatory violations. For example, In June, the University of Calgary paid a $20,000 CDN ransom after attackers encrypted its email system.

Types of ransomware in 2016

At the start of 2016, TeslaCrypt and Locky were the biggest ransomware threats, spread by spam attacks. It appears that many businesses affected by the onslaught beefed up their security. As a result, ransomware increasingly affected consumers as opposed to businesses as 2016 progressed.

Well-established ransomware such as CTB-Locker, CryptoWall and Shade  were joined by Cerber, CryptXXX, and Locky. Locky has so far been spread across 114 countries. The year saw increasing variation in the construction of ransomware and the vectors used to deliver it.

At the beginning of 2016 CryptoWall 4.0 attacks rose, including a new variation targeting outdated versions of Flash Player. The payload was delivered via malicious pop-under ads whereas the majority of past ransomware  used spam, phishing emails, and attachments. In November, it was discovered that Cerber 5.0.1 ransomware was spreading via Google and Tor2Web proxies. New ransomware families appeared in different programming languages, such as JavaScript, PHP, PowerShell, or Python. VindowsLocker ransomware emerged in November. It locks up a victim's computer and then asks the person to call a Microsoft customer support number for help. When the user pays the over $300 fee for decryption, he is hung out to dry.

There were new functions and threats added to ransomware as well. Ransoc has been tailored to gather information on the victim. Social media profiles and local files are probed, and users whose PCs contain questionable content are threatened with court action if they fail to pay the ransom. CryptXXX has a feature to gather Bitcoin wallet data and send it to the attackers. Some Cerber ransomware infects the victim’s computer with a botnet to carry out distributed denial of service (DDoS) attacks. Chimera threatens to post the victim’s files, including pictures and videos, on the internet.

The Franchise Model & Ransomware

The franchise model invaded the ransomware world. CTB Locker and Chimera offered its victims an opportunity to become an “affiliate”, with a 50 percent commission for selling the ransomware as a service.  Popcorn Time ransomware waives payment from its victims if they try to infect a few friends.

No More Ransomware Project

The most significant anti-ransomware move was the foundation of the No More Ransom project. Kaspersky Lab, Intel Security, the National High Tech Crime Unit of the Netherlands' police, and Europol's European Cybercrime Centre formed the group. In October, law enforcement agencies from 13 additional countries joined the project, twelve in Europe in addition to Colombia. The project expanded further in December with 30 more members.

No More Ransom offers victims a Crypto Sheriff tool to determine the type of ransomware affecting their devices. If available, tools are then employed to decrypt the victims’ data. In December, 32 new decryption tools for various ransomware variants were added.

Other good news on the ransomware front includes:

  • White hats continued to attack command and control servers.
  • Microsoft reported that Windows 10 is 58% less likely to be affected by ransomware than Windows 7.
  • In May,TeslaCrypt shut down and the master decryption key was released.
  • Police shut down Encryptor RaaS and Wildfire variants.
  • In July, about 3,500 keys for Chimera were publicly released.

What does 2017 hold?

Most security experts think that in 2017 ransomware will continue to be one of the biggest security problems across computing devices. They foresee further mutation of coding, techniques, and delivery mechanisms.  From an insurer’s point of view, the Beazley Breach Insights report predicts ransomware attacks against businesses will be four times higher in 2017 than last year. It is predicted that attacks will peak in mid-2017 and then start to fall off for a combination of reasons:

  • The No More Ransom project
  • The availability of new antiransomware technologies
  • Increased use of cloud backup
  • Continued law enforcement actions

Some analysts see the Internet of Things (IoT) as the next big target. McAfee predicts that ransomware will attack Internet-enabled medical devices. More than a few security experts believe that cars will be held for ransom in 2017. Attacks on IoT have already begun; consider the San Francisco Muni event at the end of 2016. But the Federal Trade Commission and the Federal Communications Commission declared in December that IoT security will be a top enforcement priority for 2017. This decision was made after the recent DDoS attacks against Dyn, causing outages of many popular websites.

An interesting forecast was made by Wendy Nather, research director at the Retail Cyber Intelligence Sharing Center, in an SC Magazine article ( ). She is dreading the advent of “integrity attacks” where cybercriminals alter an organization’s data. “The more insidious prospect would be for a criminal group to claim that they made such an alteration, but actually didn't,” she says. “It's almost impossible to prove a negative, but it will tie up the victim nonetheless as they try to confirm or deny it.”


In terms of the network security landscape it’s  been a bumpy ride in 2016, and ransomware will continue to provide some further bumps for 2017. In 2017, ransomware will become more virulent and widespread. The ransomware epidemic will continue to grow exponentially.

As the number of ransomware families explodes and new variants come out at a rapid pace criminals are expected to collect at least $5 billion in 2017. A rigorous data protection program  that includes the routine creation of on-premise, cloud and offline backups  will remain the only effective mechanism for defeating ransomware attacks.

Related Posts :

11 things to do to decrease your chance of a malware infection 

The Biggest Data Breaches & Hacks of 2016 by Industry


Need Help Ordering?

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us