WannaCry, Petya - there is hardly anyone who has not heard of the latest successful ransomware attacks. However, they are just the tip of the iceberg, as the new Trend Micro report 'Ransomware: past, present and future' shows. In 2016 alone, hackers extorted over one billion US dollars through malware attacks. At the same time, the number of ransomware families discovered in 2016 rose from 29 to 247 compared to 2015.

Top file types in ransomware-related spam in 2016 (The significant increase in JavaScript (JS) attachments in November was caused by Nemucod, a known Locky ransomware dropper).

© Trend Micro Germany

Ransomware often leaves victims with no choice but to pay if they do not want to jeopardize their ability to do business. However, paying the ransom does not always mean that victims will get their data back.

Ransomware enters computers and devices in various ways, including via spam (with malicious attachments or embedded links), compromised or specially created malicious websites or exploit kits (most notably the infamous Angler).

This should give the industry food for thought: Malware behaviors have changed over the past two years in that attackers began targeting companies instead of individuals. In addition to infecting computers and mobile devices, the ransomware also targeted shares and removable media as well as servers. Some families also encrypted selected file types, such as database files, in order to make a higher profit. The blackmail messages also evolved. All possible forms of intimidation were used - including the use of countdown timers that indicate the time until the data is about to be deleted and the threat to increase the ransom amount. Some variants, such as Doxware, even threaten their victims with the publication of their data if they refuse to pay.

Ransomware-as-a-Service

Another aspect that gives cause for concern: Using the Ransomware-as-a-Service (RaaS) business model, resourceful cybercriminals are increasingly offering their malicious creations to others for a fee or a percentage of the profits. Do-it-yourself ransomware kits are also available on underground markets and forums. And those lacking the money to do so can use web repositories where open-source ransomware, such as Hidden Tear, is available for free.

The ransom demanded is usually between 0.5 and 5 Bitcoins in return for the decryption key. Some variants increase the demand the longer the payment is not made. In this context, it is important to note that the Bitcoin exchange rate is rising. In January 2016, one Bitcoin was worth 431 US dollars, by the end of March 2017 it was already worth 1082 US dollars.

Recent developments

Overcoming security solutions installed on computers and other devices has always been a challenge for ransomware. However, a few families introduced new ways to evade detection. TorrentLocker embedded compromised Dropbox URLs in phishing emails and also used Nullsoft Scriptable Install System (NSIS) for encryption to evade installed security solutions. This URL then leads to the download of a ransomware variant posing as an invoice or other such document hosted on a legitimate site (so access is not blocked).

Hermes, another ransomware variant, scans a victim's computer and unmapped network shares for files to encrypt, then deletes system restore points and reduces the maximum allocated size for shadow memory to 410 Mbytes.

Even if these routines are not entirely new, they still work and are used by ransomware. A typical example of this is the WannaCry/WCRY ransomware variant. Originally embedded in spam via malicious Dropbox URLs, it took an unexpected turn in May: it began exploiting a recently patched vulnerability in SMB servers, and one of the largest ransomware attacks to date ensued.

Over the next few years, Trend Micro believes that ransomware will change: So far, ransomware actors have attacked hospitals and transportation service providers, among others. What's to stop them from attacking larger targets such as industrial robots in manufacturing or smart city infrastructures? In short, online extortion is moving from computers and server hostage-taking to any inadequately protected networked device, including smart devices or critical infrastructure.