Ransomware became a major cyberthreat in 2016, especially in the United States. Ransomware payments increased 771% from 2015 to 2016. The healthcare and education industries were among the most affected. In 2017, experts predict that ransomware will continue to spread rapidly across more devices and sectors. New variants will emerge using improved encryption and different delivery methods. Ransomware criminals are expected to make over $5 billion. Strong backups remain the best defense against ransomware attacks.

1. Ransomware Review of 2016
Ransomware got its start in the late 1980s, but 2016 can rightly
be called the year of ransomware. The most famous ransomware
attack of 2016 was against Hollywood Presbyterian Medical
Center in Los Angeles in March. The hospital paid a $17,000
ransom to decrypt itsdata.
Some interesting figures :
Malwarebytes reports that more than 26% of ransomware
attacks blocked by its cybersecurity software were aimed at US
According to the Federal Bureau of Investigation (FBI), more than
$209 million in ransomware payments were made in the US in
the first quarter of 2016. This was a 771 percent increase over a
reported $24 million for the whole of 2015.
Furthermore, attacks on businessincreased three-fold between
January and the end of September. Then In September the FBI
announced that there were 100,000 computers infected by
ransomware in a singleday.
It’s hard to believe that ransomware comprises less than one
percent of total infections.
And most ransomware attacks consumers, not businesses.
A recent IBM survey of 600 business leaders in the U.S. revealed
that almost half of all businesses have been hit by ransomware.
And of those, seventy percent have paid the ransom.
In 2015, the average ransom was a few hundred dollars per user.
According to the Trend Micro, at the end of 2016 the average
ransom was over $700, with 20 percent of organizations reporting
demands for over $1300. Even after paying the ransom, Trend
Micro has found that one in five organizations never get their data
back.
Ransomware can affect any type of computer. It became the
biggest cyberthreat on Android devices in the first half of 2016
in the U.S., U.K., Germany, Australia and Denmark. According to
Bitdefender, ransomware constituted more than half of the
malware detected.
General queries: info@titanhq.com www.titanhq.com
Whyhas ransomwarebecome such as menace?
There are many reasons for the upswing in ransomware:
Bitcoin has become an easier and more accepted form of
payment. Attackers prefer a currency that does not involve
financial institutions, both for traceability and for international
currency purposes. These requirements are met by Bitcoin.
Bitcoin transactions are not anonymous but require significant
effort to be accurately traced and can even be “laundered”
as moneyis.
Attackers want strong encryption to prevent users from
recovering files unless they pay a ransom. It is only recently
that higher-level encryption technology such as 2048-bit
version of the RSA cryptographic algorithm has become
more widely available.
Asymmetric (public key) encryption is widely available on even
the oldest computers in use. Many of the recent generations of
ransomware use a combination of symmetric and asymmetric
encryption. Symmetric encryption is fast. This is an advantage
because it has a higher probability of completing encryption
before the infection isdiscovered.
If the victim discovers the symmetric key before encryption is
complete, the data can be decrypted. Asymmetric encryption is
slower but more secure. Attackers can encrypt the victim’s files
rapidly using symmetric encryption and then employ asymmetric
encryption to encrypt the symmetric key. As a result, the more
secure but slower asymmetric method is needed to encrypt only
one file.
There is money to be made. Cybercriminals know that it is a
lucrative business model. As of December, SamSa ransomware
extortionists earned $450K by targeting primarily healthcare
organizations.
Attackers no longer need to be tech-savvy since most
ransomware is available as packaged exploit kits.
RANSOMWAREREVIEW2016 & WHAT’SAHEADFOR 2017

2. Well-established ransomware such as CTB-Locker, CryptoWall
and Shade were joined by Cerber, CryptXXX, and Locky. Locky
has so far been spread across 114 countries. The year saw
increasing variation in the construction of ransomware and the
vectors usedto deliver it.
General queries: info@titanhq.com www.titanhq.com
Types of ransomware in 2016
At the start of 2016, TeslaCrypt and Locky were the biggest
ransomware threats, spread by spam attacks. It appears that
many businesses affected by the onslaught beefed up their
security. As a result, ransomware increasingly affected
consumers as opposed to businesses as 2016 progressed.
File sharingboth within the institution and with outsiders is high
compared with other industries. A BitSight report released earlier
this year found that about 58% of academic institutions allowed
file sharing on theirnetworks.
Some security analysts believe that schools may be more likely
to pay for the information to avoid HIPAA concerns and other
regulatory violations. For example, In June, the University of
Calgary paid a $20,000 CDN ransom after attackers encrypted
its email system.
Education is a target formultiple reasons:
The sector tends to have smaller budgets, and thus less
up-to-date hardware and software. Education normally has
smaller IT staffs than other industries, so there are fewer
software updates and securitymonitoring.
The lowest risk was in the financial sector, with only 1.5% of
companies affected.
3.5% of healthcare organizations.
6% of government agencies
Ransomware has hitabout:
Which industriesare the most at risk
fromRansomware?
Some of the most publicized attacks in 2016 involved
healthcare, but the problem is more widespread. A new report
from BitSight declares education is the industry most likely to
be hit, with 13% of educational organization slammed by
ransomware. The report analyzed the cybersecurityperformance
of nearly 20,000 companies across government, healthcare,
finance, retail, education, and energy/utilities.
No More Ransom offers victims a Crypto Sheriff tool to determine
the type of ransomware affecting their devices. If available, tools
are then employed to decrypt the victims’ data. In December, 32
new decryption tools for various ransomware variants were added.
No More Ransomware Project
The most significant anti-ransomware move was the foundation
of the No More Ransom project. Kaspersky Lab, Intel Security,
the National High Tech Crime Unit of the Netherlands' police,
and Europol's European Cybercrime Centre formed the group.
In October, law enforcement agencies from 13 additional countries
joined the project, twelve in Europe in addition to Colombia.
The project expanded further in December with 30 more members.
The Franchise Model & Ransomware
The franchise model invaded the ransomware world.
CTB Locker and Chimera offered its victims an opportunity to
become an “affiliate”, with a 50 percent commission for selling
the ransomware as a service. Popcorn Time ransomware
waives payment from its victims if they try to infect a few friends.
At the beginning of 2016 CryptoWall 4.0 attacks rose, including
a new variation targeting outdated versions of Flash Player. The
payload was delivered via malicious pop-under ads whereas the
majority of past ransomware used spam, phishing emails, and
attachments. In November, it was discovered that Cerber 5.0.1
ransomware was spreading via Google and Tor2Web proxies.
New ransomware families appeared in different programming
languages, such as JavaScript, PHP, PowerShell, or Python.
VindowsLocker ransomware emerged in November. It locks up a
victim's computer and then asks the person to call a Microsoft
customer support number for help. When the user pays the over
$300 fee for decryption, he is hung out to dry.
There were new functions and threats added to ransomware as
well. Ransoc has been tailored to gather information on the
victim. Social media profiles and local files are probed, and
users whose PCs contain questionable content are threatened
with court action if they fail to pay the ransom. CryptXXX has a
feature to gather Bitcoin wallet data and send it to the attackers.
Some Cerber ransomware infects the victim’s computer with a
botnet to carry out distributed denial of service (DDoS) attacks.
Chimera threatens to post the victim’s files, including pictures
and videos, on theinternet.
RANSOMWARE REVIEW 2016&WHAT’S AHEAD FOR2017

3. An interesting forecast was made by Wendy Nather, research
director at the Retail Cyber Intelligence Sharing Center, in an
SC Magazine article (https://www.scmagazine.com/ransom-
ware-2017-dead-or-alive/article/577732/ )
General queries: info@titanhq.com www.titanhq.com
She is dreading the advent of “integrity attacks” where
cybercriminals alter an organization’s data. “The more insidious
prospect would be for a criminal group to claim that they made
such an alteration, but actually didn't,” she says.
“It's almost impossible to prove a negative, but it will tie up
the victim nonetheless as they try to confirm or deny it.”
Microsoft reported that Windows 10 is 58% less likely to be
affected by ransomware than Windows 7.
In May, TeslaCrypt shut down and the master decryption key
was released.
Police shut down Encryptor RaaS and Wildfire variants.
In July, about 3,500 keys for Chimera were publicly released.
Othergood newsontheransomwarefrontincludes:
White hats continued to attack command and control servers.
Increased use of cloudbackup
Continued law enforcement actions
Some analysts see the Internet of Things (IoT) as the next big
target. McAfee predicts that ransomware will attack Internet-
enabled medical devices. More than a few security experts
believe that cars will be held for ransom in 2017. Attacks on
IoT have already begun; consider the San Francisco Muni event
at the end of2016.
But the Federal Trade Commission and the Federal
Communications Commission declared in December that IoT
security will be a top enforcement priority for 2017. This decision
was made after the recent DDoS attacks against Dyn, causing
outages of many popular websites.
The availability of new antiransomwaretechnologies
The No More Ransom project
What does 2017hold?
Most security experts think that in 2017 ransomware will continue
to be one of the biggest security problems across computing
devices. They foresee further mutation of coding, techniques,
and delivery mechanisms. From an insurer’s point of view, the
Beazley Breach Insights report predicts ransomware attacks
against businesses will be four times higher in 2017 than last year.
It is predicted that attacks will peak in mid-2017 and then start to
fall off for a combination ofreasons:
As the number of ransomware families explodes and new
variants come out at a rapid pace criminals are expected to
collect at least $5 billion in 2017. A rigorous data protection
program that includes the routine creation of on-premise,
cloud and offline backups will remain the only effective
mechanism for defeating ransomware attacks.
Conclusion
In terms of the network security landscape it’s been a bumpy
ride in 2016, and ransomware will continue to provide some
further bumps for 2017. In 2017, ransomware will become more
virulent and widespread. The ransomware epidemicwill continue
to grow exponentially.
RANSOMWARE REVIEW 2016&WHAT’S AHEAD FOR2017