More than 1,445,000 users were hit by ransomware in 2016, Kaspersky reports.
According to Kaspersky, a flexible and user-friendly ransomware ecosystem is enabling small groups with limited financial resources and technical capabilities to develop into large criminal enterprises.
The researchers say there are three essential levels of criminal involvement in ransomware -- the development and updating of new ransomware families, the creation and support of affiliate programs distributing the malware, and the participation in those affiliate programs as a partner.
While the first level requires advanced coding skills, the other two do not. "Only intent, a readiness to conduct illegal actions, and a couple of bitcoins are required for participants of affiliate programs to enter this business," Kaspersky states.
And an affiliate program, according to Kaspersky, can claim daily revenue of tens or even hundreds of thousands of dollars, of which the criminals keep approximately 60 percent as net profit.
"It is hard to say why so many ransomware families have a Russian-speaking origin," Kaspersky Lab security researcher and report author Anton Ivanov said in a statement. "What is more important is that we're now observing their development from small groups with limited capabilities to large criminal enterprises that have resources and the intent to attack more than just Russian targets."
"We've seen something similar with financial malware groups, like Lurk," Ivanov added. "They also started with massive attacks on online banking users, and then evolved into sophisticated groups capable of robbing large organizations, like banks."
Don Foster, senior director of product management at Commvault, told eSecurity Planet by email that ransomware has proved to be one of the most effective ways to infiltrate an organization. "Organizations need to figure out how to classify, separate, and wall off their data in order to reduce the risk of data being inappropriately accessed and permanently lost," he said. "Discussions need to take place at the board level about an organization's data recovery strategy and its intersection with its security and ransomware strategy in order to keep sensitive data out of the hands of the wrong people."
According to Radware's Global Application and Network Security Report for 2016-2017, 49 percent of businesses were hit by a cyber ransom campaign last year, and 41 percent said ransom was the top motivation behind all cyber attacks they experienced in 2016.
Still, just 7 percent of business keep Bitcoin to enable them to respond to an attack, 43 percent say they wouldn't be able to cope with an attack campaign lasting more than 24 hours, and 40 percent have no incident response plan in place.
"One thing is clear: money is the top motivator in the threat landscape today," Radware vice president of security solutions Carl Herberger said in a statement. "Attackers emply an ever-increasing number of tactics to steal valuable information, from ransom attacks that can lock up a company's data, to DDoS attacks that act as a smoke screen for information theft, to direct brute force or injection attacks that grant direct access to internal data."
According to a recent Sonicwall report, last year saw 167 times as much ransomware as the year before. "Cyber security is not a battle of attrition; it's an arms race and both sides are proving exceptionally capable and innovative," Sonicwall president and CEO Bill Conner said.