Threat Surge: 2016 Saw 167 Times as Much Ransomware as 2015

According to the 2017 SonicWall Annual Threat Report, the company’s threat network saw a massive increase from 3.8 million ransomware attacks in 2015 to 638 million in 2016, an increase by a factor of 167.

In March 2016 alone, ransomware attack attempts shot up from 282,000 to 30 million over the course of the month.

Reasons for the surge, the report states, include the rise of Ransomware as a Service (RaaS), easier access in the underground market, the low cost of conducting an attack, the ease of distributing ransomware, and the low risk of being caught.

The most popular payload for malicious email campaigns in 2016 was ransomware, particularly Locky, which was deployed in more than 500 million attacks throughout the year.

At the same time, point-of-sale malware attacks declined by 93 percent from 2014 to 2016, and the number of new PoS malware variants decreased by 93 percent between 2014 and 2016.

The volume of unique malware samples fell from 64 million in 2015 to 60 million in 2016, and total malware attack attempts dropped from 8.19 billion in 2015 to 7.87 billion in 2016.

“It would be inaccurate to say the threat landscape either diminshed or expanded in 2016 — rather, it appears to have evolved and shifted,” SonicWall president and CEO Bill Conner said in a statement. “Cyber security is not a battle of attrition; it’s an arms race, and both sides are proving exceptionally capable and innovative.”

Separately, the Malwarebytes State of Malware Report states that ransomware distribution between January 2016 and November 2016 increased by 267 percent. “This is an unprecedented domination of the threat landscape — like nothing we’ve seen before,” the report states.

Almost 400 ransomware variants were detected in the fourth quarter of 2016 alone. The top three ransomware families detected were TeslaCrypt, Locky and Cerber.

Ad fraud malware, led by Kovter malware, periodically exceeded ransomware detections, according to the Malwarebytes report. Sixty-nine percent of all Kovter infections occured in the United States.

“Kovter is one of the most advanced malware families currently found in the wild,” the report states. “It includes sophisticated functionality, such as the ability to infect systems without dropping a file but instead creating a special registry key, making it difficult for many anti-virus products to detect.”

In general, Europe saw 20 percent more malware infections than North America, though the U.S. was the country most impacted by ransomware.

“In the last year, we have seen a huge transition in the top malware threats and how they are distributed,” Malwarebytes director of malware intelligence Adam Kujawa said in a statement. “Attackers are always seeking the greatest possible profit, causing them to shift methodology per person and geography, based on user awareness and attack success rate.

“The use of ransomware and ad fraud, specifically Kovter, have taken off because they provide a source of direct profit for attackers,” Kujawa added. “This is the future of cybercrime, and it is imperative that we continue to study how these methods evolve over time.”

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles