When does a gold rush end? Usually, when you run out of gold.
That’s basically the story of how the ransomware gold rush ended. If malware that holds files for ransom were still yielding easy millions for online criminals, it would still be surging. But it’s not, so it isn’t.
Ransomware attacks grew in volume by over 400% in 2017 compared with the previous year, but ransomware attacks became less frequent as the year progressed; a trend that has continued through 2018.
This leaves us with the question, why it stopped working? That answer is not so simple.
Was it the wild unpredictability of Bitcoin pricing which made it impossible for people to pay? Was it the improvements in antivirus that led to increased effectiveness in blocking the threat through spam? Was it the decline of exploit kits as a means of infecting users? Was it the massive awareness of the threat spread by the explosion of both WannaCry and NotPetya across the globe? Or was it just that all gold rushes tend to come to an end after the easy-to-find nuggets are plucked out?
The answer to this is; all of the above.
The rise and fall of ransomware
First, some history. In 2012, only one ransomware family had been identified; by 2015, there were 35 variants. That number reached 193 in 2016 and then hit 343 in 2017, with more than 45 new variants alone introduced in May of that year.
In that same month, we saw a worldwide ransomware attack unlike any before it.
On Friday 12th of May, WannaCry quickly spread through networks around the world thanks to its worm-like propagation method and exploitation of a vulnerability present in nearly all versions of Windows. The NotPetya attack—which the U.S. White House called “the most destructive and costly cyber-attack in history”—followed on 27th of June.
These threats, along with other prevalent families including Locky, Cryptolocker, and Cerber, led to a massive total attack volume that increased by over 400% in 2017 compared with the previous year.
An amazing nine out of ten ransomware detections that year came from WannaCry alone. But WannaCry earned a mere USD 140,000S in spite of its vast reach and notoriety.
Compare that with a real ransomware “success story”: in June 2017 a South Korean web hosting company paid a one million dollar ransom to cyber criminals after falling victim to a Linux variant of the Erebus – a rarity given that the vast majority of ransomware targets Windows.
After that WannaCry remained prevalent throughout the year but there was a decline in the emergence of new ransomware families along with a drop-off in ransomware attacks, in general.
So, what happened?
Did businesses wise up and begin doing the sort of backups and hardening of their networks that decreased their exposure to the threat?
Sure: Europol’s joint effort on the ‘No More Ransom’ project, where they offer free decryption tools for some ransomware infections, probably helped, too.
The demise of Adobe Flash as one of the most popular plugins on websites shifted criminals away from exploit kits, which enabled the attack vector known as drive-by downloads. People hoping to spread malware have to rely more and more on email spam and antivirus has become better at blocking threats spread by spam.
Some people may have stopped paying because the reputation of ransomware has been destroyed. F-Secure’s study of ransomware gangs in 2016 found they took customer care surprisingly seriously. Some worked with people who wanted to negotiate, and most of them showed a sincere interest in making sure victims got their files back. That was probably a smart strategy.
But even all these factors might not have stunted the spread of ransomware if Bitcoin had not gone wild.
Ransomware had been around before Bitcoin. But what made ransomware such a problem is that so-called “crypto-currencies” allow for some measure of anonymity for payments, especially Bitcoin.
At the end of 2017, it became much more difficult for average users to purchase Bitcoin. At one point, the crypto-currency was up more than 1500%, and then it went down and up and down again. In a single day, or even just hours, it gained or lost thousands of dollars. This makes it hard to pin down the right price for a ransom.
When criminals recognised the difficulty, they seemed to move on to new threats, like cryptojacking, the biggest new trend of 2018. Cryptojacking allows malware authors to co-opt victims’ browsers to mine cryptocurrency.
Does that mean our days of having to worry about ransomware are over?
There’s still gold in them thar hills. Ransomware is still a very potent threat, particularly to organisations. Dedicated extortionists will likely continue to focus on targeted ransomware attacks for the foreseeable future. The measures users have learned in the past couple of years should still be exercised.
- Make regular backups of your organisation’s data. Store the backups offline, so they can’t get infected too.
- Make sure you’re running a robust security solution that covers all your endpoints and provides layers of protection. This should protect against all the known ransomware threats that are out there, and block brand new zero-day threats.
- Train your employees on current social engineering tactics used in spreading ransomware. Teach them to be wary of emailed attachments and links, especially from untrusted senders. Make sure they are aware of their role in protecting your business data.
Written by Sean Sullivan, Security Adviser, F-Secure