05:40 PM
Connect Directly

Crypto Ransomware Officially Eclipses Screen-Blocker Ransomware

Encryption malware represented 54 percent of all ransomware in April compared to barely 10 percent a year ago, Kaspersky Lab found.

If the near-daily vendor reports are not enough indication already of the surging growth in ransomware infections in recent times, Kaspersky Lab has some new statistics to back it up.

Using anonymized data gathered from users of its security products, researchers from Kaspersky Lab tried to identify how many of them had encountered ransomware at least once over the past 12 months, and what type of ransomware was involved with each of those infections.

For purposes of the report, the company included screen-blocker malware as well as encryption malware in its definition of ransomware.

The data analysis showed a sharp increase in ransomware infections compared to the year before. The total number of users hit by ransomware jumped 17.7%, from 1.97 million users between April 2014 and March 2015 to around 2.32 million over the same period in the following 12 months.

Much of the growth came from the proliferation of encryption malware. The number of users hit with cryptos surged more than five-fold -- from 131,111 between 2015 and 2016 to 718,536, even as the number of people hit with Win-lockers fell more than 13% percent, from 1.8 million to a shade under 1.6 million in the same period.

The increase in the overall number of people encountering ransomware as well the growing use of crypto tools instead of screen blockers spell trouble for users, Kaspersky Lab said in its report.

“The biggest difference between the two types of ransomware: blockers and encryption ransomware is that blocker damage is fully reversible,” the report noted. “Even in the worst case scenario, the owner of an infected PC could simply reinstall the OS to get all their files back.”

In contrast, encryption ransomware gives users little option but to pay up because encrypted files are almost always irrecoverable without a decryption key. The money to be made from such malware is driving the increased use of encryption malware, Kaspersky Lab said.

As recently as April 2015, crypto ransomware accounted for barely 10% of all ransomware infections. Even in October 2015, when an unprecedented 428,000 users were infected with ransomware, only about 9.38% of the victims encountered encryption ransomware.

All that has changed, however, in recent months. Numbers from a surge in ransomware attacks in March show that more than half involved the use of crypto malware, mostly associated with the TeslaCrypt campaign, according to Kaspersky Lab. In April this year, encryption malware accounted for 54% of all ransomware.

A small handful of ransomware samples are responsible for most of the problems caused by crypto-malware. Leading the pack are samples like CryptoWall, Cryaki, TorretLocker, and CTB-Locker, Kaspersky Lab said.

The security vendor’s report comes amid signs of growing corporate worry over the trend.

In a survey of 1,138 companies from various industries conducted by KnowBe4, 79% say they are highly concerned about ransomware attacks. Two-thirds claim to know someone that had been victimized by ransomware, compared to 43% who said the same thing two years ago.

The survey showed that mid-sized companies with between 250- and 1,000 employees tend to get hit harder than large and small businesses.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
David Balaban
David Balaban,
User Rank: Strategist
12/8/2016 | 10:08:44 AM
Re: Silver lining
I understand you mean only private computer users. I encountered locky ransomware on my working laptop. all my working files got encrypted.  I began exploring  the ransomware. Here is my conclusion: there is a lot of information on this topic in the web, including this site, but people don't understand the danger of ransomware, do not take preventive measures, and look for a solution only after their computer are already affected.
User Rank: Ninja
6/23/2016 | 7:24:51 AM
Silver lining
Considering how far off we seem to be from having any decent recourse when this sort of malware hits, the only comforting idea is that it's focusing more on businesses than individuals. While businesses have more financial potential for the hackers, they also have more insurance and data stolen affects profits, not hearts and lives. 

Losing all of your family photos is devastating and irreplaceable. While losing business documents is terrible, it's far more preferable.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.