Ransomware at The Tipping Point

Posted on by Masayoshi Someya

In the past, we saw malware outbreaks such as LoveBug, SQL Slammer, and DOWNAD, but haven’t seen such an epidemic for almost a decade now. Malware outbreaks were supposed to be a thing of the past. However, 2016 became an unprecedented year in the modern era of cyber security, with the game changer in the name of ransomware. 

Ransomware is a very different type of cyber threat in the modern era, in the sense that cybercriminals let you know that you have been hit by an attacker. This is a stark difference from the modern threats such as targeted attacks, which employs tactics of invisibility for the sake of stealing information such as trade secrets, PIIs and so on. 

Up to a couple of years ago, ransomware was becoming a major threat especially for consumers. However, due to the nature of the crime demanding ransom in exchange for ways to decrypt encrypted data, it was only a matter of time cybercriminals started using the same threats to target businesses. It was no surprise cybercriminals started targeting businesses because of the nature of data they are dealing with on a daily basis. (Financial sheets, sales reports, customer data, without the data, business operations will be severely affected). 

In 2016, Trend Micro received more than 2,000 ransomware cases from enterprise organisations in Japan, in desperate need for data recovery *¹. The volume of which ransomware cases were filed is 3.5 times more than the previous year. We saw the number of new ransomware families grow from 29 to 247, 752% increase in 2016, indicating that the threat became such a gold mine for cybercriminals*². These stats just show how serious the issue of ransomware was in 2016. 

One of the key factors in the ransomware epidemic in the enterprise is the fact that affected entities ended up paying a huge sum of ransom in order to get business back to normal. According to our survey, staggering 62.6% of respondents who were hit by ransomware infection ended up paying ransom in exchange for a key to decrypt their data*³. Also, among those who paid ransom, 57.9% paid over 3 million Japanese Yen (approximately 28,000US dollars) to recover their files*³. It goes to show that the extortion tactic is much more profitable targeting businesses than consumers for cybercriminals. 

The other factor is the availability of Ransomware-as-a-Serivce (RaaS), which made it easier for newbie or less-technical cybercriminals to adopt the criminal tool to fool the victim. RaaS is available in the cyber underground market, which provides the necessary platform for cybercriminals to carry out their own extortion campaigns. 

We detected and blocked 79% of the ransomware threats in the form of email or spam messages, with either malicious attachment or URL*². If we look at the types of spam messages that distribute ransomware, the vast majority of them looked suspicious enough, with subject and short messages like ‘Invoice’, ‘Annual report’, and so on as well as malicious attachment in the form of JavaScript or executables. This really reminds us of the unfortunate and dark reality that cyber awareness among corporate staff members is much lower than we would have hoped. As much as technical measures need to be reinforced, organisational measures such as staff training or awareness campaign on a regular basis are also crucial in order to prevent or mitigate the risk of ransomware. Employees need to be cautious of suspicious emails - check the sender, texts, attachments and links. If in doubt, don’t click - even inadvertently.



*1: The number of ransomware cases filed to Trend Micro by enterprise customers in 2016

*2: 2016 Annual Security Roundup

URL: https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup

*3: Enterprise ransomware survey, Trend Micro

URL: http://www.trendmicro.co.jp/jp/about-us/press-releases/articles/20160727064652.html

Masayoshi Someya

Senior Security Evangelist, Trend Micro


Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community