How ransomware attacks have changed one year after Wannacry and NotPetya

Ransomware continues to garner headlines. However, this particular blight appears to be abating. Since 2015, the number of ransomware families and variants has decreased by about 50 percent. For organizations fighting this threat, this means that ransomware is no longer the in vogue malware.

At the height of ransomware attacks in 2015, anyone who was in the business of creating malware seemed to be creating their own ransomware strain. Ransomware was seemingly easy money for cybercriminals, and everyone was jumping on the bandwagon. However, a groundswell response from the security community stemmed the flow of payouts. Ransomware that was either poorly coded or had a flaw in the encryption implementation was quickly defeated with that either stopped the initial attack or allowed affected users to retrieve their files without paying the ransom. This created a wholesale market shift in the cybercriminal underground that has largely wiped out ransomware as the top threat for monetization.

How NotPetya and WannaCry hurt ransomware's profitability

Further reducing the profitability of ransomware as a business model was 2017’s widespread global infections of WannaCry, which occurred in May, and NotPetya, which occurred in June. Both ransomware variants rendered systems inoperable, going against the fundamental tenet of ransomware that access to files is denied until the ransom is paid. People are less willing to pay if their only exposure to the malware is a broken compact.

This has all served to evolve the ransomware threat rather than eliminate it. What we are faced with now is a threat that is leaner, more capable and more focused. The malware authors who stuck with ransomware as their primary means of monetization have greatly refined the variants they work on. Some groups even appear to be following software engineering management best practices with rapid iterations and improvements. The criminals still using ransomware are more targeted in what they are trying to do. There is still the noise of exploit kit and malvertising delivered ransomware, but there is also a steady increase in targeting institutions to maximize profit. Municipal governments and industries that don’t rely on intellectual property as a core profit generator and have a large number of systems are targeted most often. The IT infrastructure of manufacturers, hospitals, utility providers and logistic companies lend themselves to extortion better than systems that can be easily backed up.

Ransomware is here to stay. However, it’s changed from a ubiquitous threat to one that is manageable and more targeted. This is a mixed blessing for those in security. On the one hand, the fad is fading and that allows us to focus on more foundational issues to protect against a broader spectrum of threats. On the other, there is no singular large threat. That means it will be harder to predict what the next intrusion into a network is going to look like. It is now equally likely to be one of half a dozen categories -- banking Trojans, adware, rootkits, browser hijacks, password loggers -- making foundational security more important but also less effective than a specialized program against a particular, oversized threat.

Ross Rustici
About the Author

Ross Rustici

Ross Rustici is Cybereason's Senior Director of Intelligence Services.