Cybercrime: Ransomware attacks have more than doubled this year

File-encrypting malware attacks are back with a vengeance.
Written by Danny Palmer, Senior Writer

Ransomware attacks have more than doubled this year, as criminals turn to powerful new forms of file-locking malware and additional attack techniques to conduct campaigns that are more lucrative than ever before.

Ransomware came to the fore in 2017 because of the widespread impact of global campaigns WannaCry amd NotPetya. But shortly after that, ransomware appeared to fall out of favour with hackers, with many switching to campaigns based around cryptojacking attacks, trojan malware or credential theft.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

But while ransomware attacks never stopped completely – as evident by all of the campaigns targeting US cities – the network encrypting attacks are definitely back in vogue, with the McAfee Labs Threats Report for August 2019 noting a 118% rise in ransomware attacks in the first quarter of this year alone.

"After a periodic decrease in new families and developments at the end of 2018, the first quarter of 2019 was game on again for ransomware, with code innovations and a new, much more targeted approach," said Christiaan Beek, lead scientist and senior principal engineer at McAfee.

While there's a vast amounts of different types of ransomware, McAfee researchers point to three families in particular that have been the most prolific: Dharma, Ryuk and GandCrab.

Dharma ransomware first emerged in 2016 as variant of Crysis ransomware but has gone on to become one of the most potent forms of ransomware in its own right. The authors of Dharma regularly release new updates for their product, ensuring that it can't be decrypted.

What makes Dharma so powerful is how it spreads by targeting internet-facing ports and remote desktops. In many cases, it can gain access to networks without even having to get a victim to click a link or download a malicious file from a phishing email.

Ryuk ransomware has also become a significant problem, with those behind it locking down entire organisations and demanding hundreds of thousands of dollars in bitcoin in exchange for decrypting the files. The ransomware was initially attributed to North Korea, but now researchers believe that it's more likely to be the work of a cybercrime group rather than a nation-state.

GandCrab ransomware first emerged in 2018 and remained popular into 2019. Described by Europol as "one of the most aggressive forms of ransomware", GandCrab was on an affiliate model, its authors leased out the ransomware in exchange for a cut of the profits.

Several free decryption tools were released to combat GandCrab, but its developers kept releasing new versions and claiming to have made its users over $2 billion throughout its lifetime. The gang behind GandCrab have now ceased operations, claiming they've made enough money from their ransomware-as-a-service model.

A decryption tool for the most recent version of GandCrab is available from No More Ransom, a project that sees McAfee and other cybersecurity companies working with law enforcement to provide free tools that allow victims of ransomware to get their files back for free – and crucially, without paying criminals for the privilege.

SEE: 10 tips for new cybersecurity pros (free PDF)

While GandCrab may no longer be a threat, other forms of ransomware will rise up and take its place – especially given how so many organisations have chosen to pay six-figure sums after falling victims to an attack. That's despite law enforcement and security companies telling victims not to give into the extortion.

"Paying ransoms supports cybercriminal businesses and perpetuates attacks. There are other options available to victims of ransomware. Decryption tools and campaign information are available through tools such as the No More Ransom project," said Beek.

Organisations can help to avoid falling victim to ransomware attacks in the first place with simple steps like ensuring that RDP ports can't be accessed by default credentials and which can give attackers easy access to the network.

In addition to this, many forms of ransomware rely on known security vulnerabilities to function, so if operating systems and applications are patched and up to date, it can prevent malware getting a foothold into the network.

Organisations should also keep regularly updated offline backups of their data, so if the worst does happen, the systems can be restored without giving into the demands of cyber criminals.


Editorial standards