Recent ransomware attacks targeting schools, hospitals and local governments might suggest that cyber criminals have shifted away from distributing file-encrypting malware to individuals in favour of going after whole networks. But the most common ransomware campaign of the last six months is targeting home users.
Analysis of over 230,000 ransomware attacks that took place between April and September has been published by cybersecurity researchers at Emsisoft and one family of malware accounted for over half (56%) of reported incidents: the 'Stop' ransomware.
Stop – also known as DJVU – first emerged in late 2018 and several different variants are known to exist. The ransomware is typically distributed by torrent websites, often hidden in cracked versions of software that users are attempting to download while avoiding paying for the product.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
However, this can come with an additional cost for the victim as Stop encrypts files with AES-256 encryption and demands a ransom of $490 in bitcoin in exchange for the decryption key. The ransom amount doubles after 72 hours in an effort to scare the victim into paying up immediately.
"While attacks against home users have declined, Stop proves that consumer ransomware continues to be profitable," Fabian Wosar, CTO at Emsisoft told ZDNet.
Commodity malware attacks remain common, but the most successful ransomware operations are making large amounts by compromising entire networks then demanding a ransom payment of hundreds of thousands of dollars in exchange for the network being restored.
In many cases, victims opt to pay the ransom because, despite the authorities recommending that they don't fund criminals, the ransomware-infected organisation wants to get business back up and running as soon as possible – and restoring the network from scratch can take a long time.
During the past six months, the most common family of network-encrypting malware uploaded to Emsisoft and ID Ransomware – a service that allows users to identify ransomware based on the ransom note – was a variant of Dharma ransomware, which uses the file extension .cezar
Accounting for 12% of submissions between April and September, Dharma has existed in one form of another since 2016 but has noticeably spiked in recent months.
Attackers using Dharma infect victims using phishing emails, infected installers and weak or leaked RDP login credentials, moving throughout networks and infecting as many devices as possible, before finally pulling the trigger and encrypting all they can.
Those behind Dharma don't have a specific amount they ask far, instead tailoring their extortion demand depending on the size of the company compromised.
Phobos was the third most-reported ransomware over the past six months, accounting for 8.9% of submissions. Phobos first emerged early this year and closely resembles Dharma. The ransomware spreads by exploiting open or poorly secured RDP ports – and it's believed the attackers gain access to some of these by buying stolen credentials from underground forums.
GlobeImposter was the next most commonly reported ransomware, accounting for 6.5% of reports while Sodinokibi – also known as REevil – was the fifth most commonly accounted for ransomware during the period at 4.5%.
Sodinokibi only emerged this year but has been behind several major attacks. The ransomware-as-a-service is believed to be the successor to GandCrab ransomware, which suddenly stopped operating in June this year – although there was still enough time for GandCrab to be one of the most common forms of ransomware during the reporting period.
SEE: Ransomware: 11 steps you should take to protect against disaster
These are just a handful of the families of ransomware targeting organisations and individuals and researchers believe attacks are only to get more dangerous.
"As ransomware attacks continue to become more sophisticated, organisations need to take a proactive approach to cybersecurity," Emsisoft researchers warn in the blog post.
"Businesses of all sizes should review their existing security strategy and ensure their policies and security technologies are in line with current best practices".