​SonicWall reports 638 million instances of ransomware in 2016

The network security firm said ransomware was the payload of choice for malicious email campaigns and exploit kits in 2016, with Locky claiming the title as the most popular payload globally.
Written by Asha Barbaschow, Contributor

Ransomware attacks on businesses large and small reached 638 million last year, up from 2015's 3.8 million, network security firm SonicWall has reported.

In its 2017 Annual Threat Report, SonicWall said the rise of ransomware in 2016 was unlike anything it had seen in recent years, noting that the 634.2 million instance increase was "meteoric" in nature.

"By the end of the first quarter [of 2016], $209 million in ransom had been paid by companies, and by mid-2016, almost half of organisations reported being targeted by a ransomware attack in the prior 12 months," the report said.

The ransomware growth was an upward climb throughout the year, SonicWall said, and expected the increase to continue into 2017.

The first major spike in ransomware was experienced in March 2016, when attack attempts shot up from 282,000 to 30 million over the course of the month, for a first-quarter total of 30.9 million hits.

The report shows the upward trend continued throughout the year, with the fourth quarter closing at 266.5 million ransomware attack attempts.

SonicWall attributed the growth of ransomware to easier access in the underground market, which it said was supported by the low cost of conducting a ransomware attack, the ease of spreading it, and the low risk of being caught or punished.

"The rise of ransomware-as-a-service (RaaS) made ransomware significantly easier to obtain and deploy," the report said. "Individuals who wanted to profit from ransomware didn't need to be expert coders, they simply needed to download and deploy a malware kit."

Typically, RaaS providers offer their malware for free, while SonicWall explained that others charged a flat rate of typically $100.

According to SonicWall, another factor driving ransomware was the mass adoption of bitcoin, noting that before the cryptocurrency existed, payments were able to be tracked.

Industry verticals were targeted almost equally, SonicWall said, with the mechanical and industrial engineering industry reaping 15 percent of average ransomware hits, followed by a tie between pharmaceuticals and financial services at 13 percent, and real estate claiming 12 percent of the total ransomware hits.

Geographically speaking, the report highlighted that companies in the United Kingdom were three times as likely as United States-based ones, despite the US experiencing the highest number of ransomware attacks in 2016.

China was flagged as least likely to be targeted, with SonicWall attributing this to the country's restricted access to bitcoin and low usage of Tor.

While SonicWall said many victims of ransomware chose not to publicise the attacks, it highlighted several breaches that received attention.

The San Francisco Municipal Transit Authority had to open its fare gates in November when a ransomware attack took down its payment and email systems, demanding 100 bitcoins -- the equivalent of $73,000 at the time.

Similarly, Hollywood Presbyterian Medical Center in Los Angeles admitted to paying $17,000 in bitcoin to regain access to its data in February 2016; the Lansing Board of Water & Light revealed it had paid ransomware attackers $25,000 in April; and in September, hosted desktop and cloud provider VESK handed over approximately $22,800 in bitcoins as a result of a ransomware attack.

"Each of these organisations, and the countless others who were hit with ransomware, faced an urgent and terrifying decision: Whether or not to pay the ransom," the report said. "Those who opted to pay were sometimes able to negotiate a lower ransom to regain access to their systems."

Despite paying a ransom, SonicWall explained that in some instances, paying the ransom did not guarantee access to data, as was the case with the Kansas Heart Hospital that was attacked in May 2016.

According to the security firm, only 42 percent of victims were able to fully recover their data from a backup.

The most popular payload for malicious email campaigns in 2016 was the Locky ransomware, SonicWall said, which was utilised in more than 500 million total attacks throughout the year, compared with second placed Petya, which was only used in 32 million attacks.

Locky was most commonly delivered via email as a Microsoft Word document attachment under the guise of an invoice from a vendor requiring payment. When the attachment is opened, the end user would be instructed to enable macros, which would set off a chain reaction leading to the encryption of the user's files and the service of a ransom demand.

Locky evolved to become the most notorious ransomware threat during 2016, security vendor Forcepoint also noted, and the second-most common malware threat by November. Although Locky experienced a lull over Christmas, security experts have said it shows no signs of slowing down, with instances of Locky once again on the up.

SonicWall officially spun out of Dell Technologies as an independent company in November, with private equity firm Francisco Partners and hedge fund Elliott Management completing the $2 billion acquisition of the technology giant's software arm.

Editorial standards