One Quarter of Ransomware Attacks Hitting U.S. Targets, Study Finds

An analysis by security firm Malwarebytes finds that 26 percent of ransomware attacks blocked by its software targeted U.S. customers with Germany in second place and France in third place.

Ransomware Targets 2

Ransomware attacks continue to rise, and U.S. computer users are getting hit the most according to an analysis released by security firm Malwarebytes on Dec. 8.

The company analyzed the telemetry sent from its software running on customers systems between June 1 and October 15, finding hundreds of thousands of ransomware attacks. More than 26 percent of attacks targeted users in the United States, compared to less than 9 percent targeting German users and about 4 percent targeting people in France, the No. 2 and No. 3 most popular targets.

“Throughout the whole year, ransomware has been the dominant problem. It has just kept growing,” Adam Kujawa, director of malware intelligence for Malwarebytes, told eWEEK.

Kujawa said that 2016 is undoubtedly the year when ransomware took off, becoming the most significant Internet threat.

Other companies’ research agrees. In its year-end report, security firm Kaspersky Lab found 62 new families of ransomware had hit the internet in 2016, leading to roughly double the number of incidents per user. At the beginning of the year, Kaspersky’s user population encountered ransomware once every 20 seconds, and by the end of the year, that had dropped to once every 10 seconds.

Yet, governments and companies have begun pushing back. In July, four organizations—including Intel Security, Kaspersky and Europol—banded together to create a common resource for those affected by ransomware. Called No More Ransom, the group provides descriptions of the various ransomware families and help for those hit by ransomware attacks.

Malwarebytes and Kaspersky designated different families of malware as the most popular ransomware variants. The Cerber malware topped Malwarebytes’ list, with 38 percent of attacks using that ransomware version, while Kaspersky found CTB-Locker made up 25 percent of the ransomware detected by its product.

There are also signs that link several families of ransomware to Russia. When Cerber first runs, for example, the malware checks whether it is running from an internet address assigned to Russia. If the computer is connected to a network in Russia, or a former Soviet republic, the program will not run.

Malwarebytes also found that users in city of Las Vegas and nearby Henderson, NV, encountered the most ransomware, but that the Rust Belt had the greatest number of cities in the Top-10, including Memphis, TN, and Toledo, Cleveland and Columbus, OH.

Malwarebytes did not account for the distribution of its users in the national numbers, but did normalize for population when determining the most targeted cities.

Kaspersky found that the number of modifications to ransomware variants increased by more than 11-fold in 2016, as the malware authors tried to stay ahead of security firms’ software. In addition, the number of copycats increased as well. Because ransomware is difficult to create properly, knock-off programs—also known as ‘skiddie’ ransomware—are less likely to be able to decrypt a victim’s files, Kaspersky said.

“As the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise,” the company said. “We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom and provide nothing in return.”

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...