Cybercrime techniques and tactics (CTNT): Ransomware retrospective

Key takeaways

• Over the last year, we’ve witnessed an almost constant increase in business detections of ransomware, rising a shocking 365 percent from Q2 2018 to Q2 2019. Meanwhile, consumer detections of ransomware have been on the decline, decreasing by 12 percent year over year and 25 percent quarter over quarter. The reason behind this shift: Cybercriminals are searching for higher returns on their investment, and they can reap serious benefits from ransoming organizations over individuals, who might yield, at best, a few personal files that could be used for extortion or identity theft. Encrypting sensitive proprietary data on any number of endpoints allows cybercriminals to put forth much larger ransom demands while gaining an exponentially higher chance of getting paid.
• Ransomware attacks featuring targeted campaigns against cities and municipalities, like those experienced in Baltimore, Florida, and Georgia, have increased in frequency, especially since the beginning of 2019. Ransomware families such as Ryuk and RobinHood are mostly to blame, though SamSam and Dharma also made appearances. Recovery from those attacks has been slow and painful, with critical infrastructure a problem. Healthcare and education, two industries also plagued with legacy infrastructure, were also targets.
• The ransomware families causing the most trouble for businesses this quarter were Ryuk and Phobos, which increased by an astonishing 88 percent and 940 percent over Q1 2019, respectively. GandCrab and Rapid business detections both increased year over year, with Rapid gaining on Q2 2018 by 319 percent. However, business detections of GandCrab slowed down by 5 percent in Q2 2019 over Q1.
• All of the top five ransomware families for consumers decreased in Q2 2019 from Q1. The family that saw the largest decrease quarter over quarter was Rapid, which fell by 57 percent in Q2, with a year over year decline of 30 percent. In fact, the only ransomware family that saw any kind of increase was Troldesh, which rose by 162 percent over the same time period in 2018, but still declined from Q1 by 55 percent.
• Looking at ransomware attacks by region—North America; Latin America; Europe, the Middle East, and Africa; and Asia Pacific—nearly half of all ransomware detections in the last year occurred in North America. Europe, the Middle East, and Africa netted 35 percent of our ransomware detections, while Latin America yielded 10 percent and Asia Pacific 7 percent. Each of the regions were plagued with high percentages of GandCrab detections, but Ryuk gave GandCrab a run for its money in North America.
• As for leading ransomware countries, the United States took home the gold with 53 percent of all detections from June 2018 through June 2019. Canada came in a distant second with 10 percent, and the United Kingdom and Brazil followed closely behind, at 9 percent and 7 percent, respectively. The remaining 21 percent was shared between Italy, France, Russia, Germany, South Africa, and Spain. Once again, GandCrab and Ryuk made the most noise in the countries we studied; however, certain families made significant impressions, such as Troldesh on Russia.
• Texas, California, and New York were the top three states infected with ransomware, ganged up on with a combination of GandCrab, Ryuk, and Rapid, which made up more than half of the detections in these states. Interestingly, the states with the most ransomware detections were not always the most populous. North Carolina and Georgia rounded out our top five ransomware states, but they are not as heavily-populated as Florida or Pennsylvania, neither of which made our list.