This report has been prepared using depersonalized data processed by Kaspersky Security Network (KSN). The metrics are based on the number of distinct users of Kaspersky Lab products with the KSN feature enabled, who encountered ransomware at least once in a given period, as well as research into the ransomware threat landscape by Kaspersky Lab experts.
This report covers the evolution of the threat from April 2016 to March 2017 and compares it with the period of April 2015 to March 2016.
In May 2016 Kaspersky Lab discovered Petya ransomware that not only encrypts data stored on a computer, but also overwrites the hard disk drive's master boot record (MBR), leaving infected computers unable to boot into the operating system.
The malware is a notable example of the Ransomware-as-a-Service model, when ransomware creators offer their malicious product 'on demand', spreading it by multiple distributors and getting a cut of the profits. In order to get their part of the profit, the Petya authors inserted certain "protection mechanisms" into their malware that do not allow the unauthorized use of Petya samples.
While Ransomware-as-a-Service is not a new trend, this propagation model continues to develop, with more and more ransomware creators offering their malicious product. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own malware.
Notable examples of ransomware that appeared in 2016 and used this model were Petya/Mischa and Shark ransomware, which was later rebranded under the name Atom.
In early 2017, Kaspersky Lab's researchers have discovered an emerging and dangerous trend: more and more cybercriminals are turning their attention from attacks against private users to targeted ransomware attacks against businesses.
The attacks are primarily focused on financial organizations worldwide. Kaspersky Lab's experts have encountered cases where payment demands amounted to over half a million dollars.
The trend is alarming as ransomware actors start their crusade for new and more profitable victims. There are many more potential ransomware targets in the wild, with attacks resulting in even more disastrous consequences.
The analysis in this report attempts to assess the scale of the problem, and to highlight possible reasons for the new angles of ransomware developments globally.
Based on the statistics and trends described in this report, we have come to the following conclusions:
Along with these conclusions we believe that the current ransomware threat landscape provides a good basis for several predictions on how this threat will evolve in the future.
Through technology: Kaspersky Lab provides a free anti-ransomware tool which is available for all businesses to download and use, regardless of the security solution they have installed.
Through collaboration: The No More Ransom Initiative. On 25 July 2016, the Dutch National Police, Europol, Intel Security and Kaspersky Lab announced the launch of the No More Ransom project - a non-commercial initiative that unites public and private organizations and aims to inform people of the dangers of ransomware and help them to recover their data. The online portal currently carries 50 decryption tools, seven of which were made by Kaspersky Lab. Since the NMR launch, more than 29.000 victims from all over the world have been able to unlock their files for free thanks to Kaspersky Lab tools. The NMR portal is currently available in 14 languages: English, Dutch, French, Italian and Portuguese, German, Spanish, Slovenian, Finnish, Hebrew, Ukrainian, Korean, and Japanese.
KSN Report: Ransomware in 2016-2017 (full report, English):