White paper: 100 new ransomware families ID'd in 2015, as campaigns adopt APT tactics

In its new special report Ransomware and Businesses 2016, Symantec declares that within the last year, ransomware has rapidly advanced in maturity and severity, while also exploding in terms of overall numbers.

Since the end of 2015, the average ransomware demand has risen in price from £223 to £526, Symantec reports.
Since the end of 2015, the average ransomware demand has risen in price from £223 to £526, Symantec reports.

If the threat that ransomware poses to your corporate systems hasn't already been keeping you awake, the researchers at Symantec have added some more nightmare-fuel in the form of a new white paper.

In its special report Ransomware and Businesses 2016, the cybersecurity firm declares that within the last year, ransomware has rapidly advanced in maturity and severity, while also exploding in terms of overall numbers.

According to Symantec's analysis, the average ransom demand has more than doubled in price since the end of 2015, from £223 to £526. Last year was also a high-water mark for the number of new ransomware families discovered in one year – an even 100 in total.

"The rapid rise in the amount of ransom demanded is rather surprising. Though this is to be expected when you have a product that everyone wants. Given the larger number of people willing to pay, the price was going to rise," said Kevin Haley, director of security response at Symantec, in an email interview with SCMagazine.com.

In some cases, cyber-criminals are leveraging big data to optimise their pricing schemes. "It's easy for them to collect. They can look at data and do A/B testing and can figure out what works and what prices are optimal," Haley continued.

From the second quarter of 2015 to Q2 2016, overall ransomware incident totals ranged between 23,000 and 35,000 infections per month, the report continued – with a high of 56,000 in March, corresponding with the debut of Locky ransomware.

Individual consumers comprised 57 of all infections between January 2015 and April 2016; however, attacks against organizations continue to slowly trend upward, the report cautions. Individual infections are often the result of pray-and-spray spam campaigns, but attacks against organizations tend to be more targeted and strategic, sometimes even employing tactics often linked to advanced persistent threats (APTs).

To that end, the report cites a recent case study in which a large organisation suffered a Samsam ransomware outbreak that encrypted data on hundreds of computers and knocked corporate systems offline. In this case, the attackers exploited an unpatched vulnerability, compromising the organisation's web server in order to laterally move around the victim's network, using legitimate tools to avoid detection.

In some cases, attackers will stay in a compromised system for months, gathering intel for reconnaissance before finally executing the payload, the report notes.

Haley expects more ransomware distributors to follow suit and adopt these APT strategies. "Imitation is evolution. Those tactics that work for the gang that introduces them will be rapidly adopted by others," he said.

From a global distribution perspective, the U.S. suffered the highest share of ransomware infections between January 2015 to April 2016, with 32 percent. Italy and Japan (eight percent each) tied for a distant second, as attackers focused their efforts on developed, affluent nations, Symantec reported.

During that same time period, the “services” sector was the most affected industry, claiming 38 percent of all ransomware infections. The manufacturing industry was next with 17 percent of attacks, followed by public administration (10 percent) and finance, insurance and real estate businesses (also 10 percent).

The report even cites an unusual case in which cyber-criminals infected a company with fake CryptoWall ransomware that appeared to encrypt files, but actually just overwrote them with junk data. The malware, called PhonyWall, was actually a decoy meant to divert attention away from the attackers' true motive: data theft. It's just another way the ransomware landscape continues to evolve.