This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

UPDATE (June 15, 2016): This post has been updated to include new
data on ransomware activity, which is also now broken down by region.

Cyber extortion for financial gain is typically carried out in one
of two ways. The first method is a business disruption attack – a
category we discussed at length in M-Trends
. In this type of attack, threat actors target an
organization’s critical business systems, capture confidential data
and threaten to do something malicious with that data (such as expose,
delete, or encrypt it) unless a ransom is paid. This method is
generally more targeted, requires a greater deal of finesse on the
part of the threat actors, and often has a greater potential payout.

Ransomware is the other common method of cyber extortion for
financial gain. Ransomware
is a type of malware that prevents users from interacting with their
files, applications or systems until a ransom is paid, typically in
the form of an anonymous currency such as Bitcoin. While individual
computer and mobile device users have long been targets of ransomware,
the threat has expanded. Ransomware has gained publicity in recent
months through mainstream media coverage of ransomware attacks against
organizations, namely hospitals.

While the end goal is the same – some type of financial payout to
the attacker – not all ransomware operates the same way. The
file-encrypting variety is perhaps the most dangerous. This is because
the targeted files, which often contain users’ or organizations’ most
valuable data, become useless without the decryption key. The issue is
compounded because paying the ransom offers no guarantee that the
files will be unlocked, thus making frequent backups the best defense
against ransomware.

Since the average ransom demanded from an individual user is
relatively low (typically a few hundred dollars, if that), threat
actors distributing ransomware typically follow the “spray and pray”
tactic of sending out as many lures as possible – emails with
malicious attachments or links to malicious websites, for example – to
maximize their potential gains.

Ransomware Spike in March

Based on data from FireEye Dynamic Threat Intelligence, ransomware
activity has been rising fairly steadily since mid-2015. We observed a
noticeable spike in March 2016. Figure 1 depicts the percentage of
ransomware compared to all malware detected on FireEye products from
October 2015 to May 2016.

Figure 1: Ransomware detections from August 2015 to May 2016

The spike is noteworthy, and consistent with other observations. In
March 2016, FireEye Labs detected a significant rise
in Locky ransomware
downloaders due to an email spam campaign
targeting users in more than 50 countries. The malicious email
attachments pretended to contain an invoice or a picture, but opening
the attachment led to an infection instead.

Ransomware in the Media

There is no denying the satisfaction an attacker feels when their
exploits make the news. For threat actors distributing ransomware, the
satisfaction is even greater when the headlines report that the victim
paid the ransom. A recent blitz of ransomware reports in the media –
as well as the follow-up success stories – may have spurred other
attackers to get in on the action, possibly resulting in the March
ransomware activity spike. The Petya ransomware, for instance,
includes links to recent media articles on its ransom payment page, as
shown in Figure 1.

Figure 2: FireEye Threat Intelligence in 2016
uncovered Petya ransomware advertising links to recent media
articles on their ransomware payment page

Hollywood Presbyterian Medical Center incident

In early February, Hollywood Presbyterian Medical Center (HPMC) was
in the media spotlight after their systems became
infected with file-encrypting ransomware
. Midway through the
month, Allen Stefanek, president and CEO, wrote
that staff had trouble accessing the network beginning Feb. 5. He
explained that malware locked access to certain computer systems and
prevented the sharing of communications electronically, and indicated
that a ransom of 40 Bitcoins had been requested (approximately $17,000
at the time).

“The quickest and most efficient way to restore our systems and
administrative functions was to pay the ransom and obtain the
decryption key,” Stefanek wrote. “In the best interest of restoring
normal operations, we did this.” HPMC restored its electronic medical
record system and cleared all systems of the malware by Feb. 15.

Continued targeting of hospitals

Attackers may have taken a hint that hospitals are a lucrative
target. Later in February, The
Register reported
that file-encrypting ransomware infected the
systems of Lukas Hospital and Klinikum Arnsberg hospital – both in
Germany. Then in March, Ars
Technica reported
that data at Union Memorial Hospital in
Maryland – as well as other MedStar hospitals in the Washington, DC
area – were encrypted by ransomware, and that the requested ransom was
45 Bitcoins, or about $18,500 at the time.

The targeting of hospitals is no surprise. Cyber criminals have been
increasingly turning to industries such as healthcare that possess
critical data but may have limited investment in security across their
enterprise. With hospitals, budget dollars often go towards surgery
wards, emergency care centers and supplies for a large number of
patients – not security. This makes for a tricky issue, since
hospitals cannot operate without the necessary patient data stored in
their systems.

Other Factors Influencing Uptick in Ransomware Activity

High-profile media coverage of ransomware is certainly attracting
attackers, but that is not the only factor driving the uptick in
activity. The following are some additional factors contributing to
the increase:

  • Relatively high profit margins coupled with the relatively low
    overhead required to operate a ransomware campaign have bolstered
    the appeal of this particular attack type, fueling market demand for
    tools and services corresponding to its propagation. For example,
    in 2015
    we observed a small-scale ransomware operation that
    nevertheless likely netted the perpetrators about $75,000.
  • The success of prolific ransomware families such as CryptoWall
    has provided a blueprint for aspiring ransomware developers,
    showcasing increasing profit margins and campaign sustainability.
    According to the FBI’s Internet
    Crime Complaint Center
    (IC3), CryptoWall generated identified
    victim losses totaling more than $18 million between April 2014 and
    June 2015.
  • The emergence of several new ransomware variants
    adopting a ransomware as a Service (RaaS) framework since mid-2015,
    a phenomenon likely driven by the competitive development of quality
    goods and services within the cyber crime ecosystem. Based on
    multiple factors, RaaS offerings – which are uniquely poised to
    capitalize on current underground marketplace demand for ransomware
    – are highly likely to fuel an increasing number of ransomware
Ransomware Variants

Through this discernible uptick in ransomware activity from mid-2015
to early 2016, FireEye has observed significant growth and maturation
of the ransomware threat landscape – predominately involving the
proliferation of myriad new variants.

Prolific Ransomware Families

We continue to observe the sustained distribution of multiple,
well-established ransomware families used in both geographically
targeted and mass infection campaigns. In multiple cases these
renowned variants, such as CryptoWall and TorrentLocker, spawned
updated variants with improvements in either encryption capabilities
or obfuscation techniques. These established ransomware brands will
continue to pose a significant threat to global enterprises, as
malware functionality, encryption techniques and counter-mitigation
measures are adapted and successfully introduced into updated
variants. Examples include:

  • TorrentLocker: Throughout 2015, FireEye observed continued
    distribution of TorrentLocker, a ransomware family based on both
    CryptoLocker and CryptoWall. According to multiple open-source
    reports, TorrentLocker has been active since at least early 2014 and
    is most often distributed in geographically-specific spam
  • CTB-Locker: CTB-Locker – a name that represents the key
    elements of the ransomware, namely Curve (for Elliptic Curve
    Cryptography), Tor and Bitcoin – was first seen around mid-2014 and
    remained active throughout 2015. During this reporting period, we
    observed multiple campaigns propagating CTB-Locker and its variants,
    including CTB-Locker distributors capitalizing on Windows 10
    releases and free upgrades by sending
    out spam campaigns citing Windows 10 upgrades in

Novel Ransomware Variants

We have also observed several new ransomware variants that
incorporate a range of new tactics, techniques and procedures (of
varying degrees of technical practicality). Based on the increased
growth in this area, we expect ransomware developers to continue
equipping ransomware variants with novel features in order to expand
targeted platforms and increase conversion ratios.

  • Chimera: The operators behind the  Chimera ransomware not
    only used the malware to encrypt victims’ files, but further
    threatened to publish the encrypted data if victims failed to pay
    the ransom. The threat actors began targeting German-based small and
    medium-sized business enterprises around mid-September 2015.
  • Ransom32: Ransom32, first publicly reported in late December
    2015, is purportedly one of the first ransomware variants based
    entirely on JavaScript, potentially allowing for cross-operating
    system (OS) compatibility and packaging for both Linux and Mac
  • LowLevel04: According to open-source
    , operators of LowLevel04 purportedly spread the
    ransomware using the unconventional infection mechanism of
    exploiting Remote Desktop and Terminal Services.
  • Linux.Encoder.1: According to open-source
    , Linux.Encoder.1 debuted in late 2015 as one of the
    first ransomware variants targeting Linux web-based servers. While
    the encryption capabilities of the earliest variants proved to be
    suspect – with multiple reports alleging faults in its predictable
    encryption key – the targeting associated with this malware family
    represents a deviation from more traditional Windows-based
Outlook and Implications

We expected to see the ransomware threat landscape sustain, if not
exceed, levels observed in 2015 – and so far we have been right. Cyber
extortion has gained significant notoriety, with illicit profits
garnered from highly publicized campaigns undoubtedly resonating among
cyber criminals. Recent campaigns in which targeted victims paid the
ransom demand reinforce the legitimacy and popularity of this
particular attack method.

One of the most worrying threats concerns the targeted deployment of
ransomware after the attackers have already gained a foothold in the
network. In these cases, threat actors may be able to conduct
reconnaissance to strategically disable or delete backups and identify
those systems most critical to an organization’s operations before
deploying the ransomware. To increase the difficulty of such an
attack, enterprises are encouraged to properly segment networks and
implement access controls. In addition, enterprises should evaluate
backup strategies regularly and test those backups to ensure that
recovery is successful. Finally, copies of backups should be stored
offsite in case onsite backups are targeted.

Learn more about ransomware during our webinar on May 19, 2016, at
11:00am EDT. You
can register here.


At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,