Kaspersky Lab has published a new ransomware study that clearly shows the rise in use of the malicious file encrypting software over the past two years. The research shows that companies are firmly in attackers’ sights, with attacks on companies having soared in recent months.

Kaspersky Ransomware Study 2016

For the ransomware study, Kaspersky Lab looked at crypto-ransomware, which uses encryption to lock critical business files as well as windows blockers – ransomware that simply locks victims’ computer screens to prevent files from being accessed. Kaspersky Lab took de-identified data from the Kaspersky Security Network (KSN) and assessed the data from individuals that had encountered ransomware between April 2014 and March 2016.

Kaspersky Lab notes that while the prevalence of Windows blockers is still high, there has been a massive rise in the use of crypto-ransomware over the past 12 months. Between April 2015 and March 2016 there was a 17.7% rise in the number of individuals who encountered ransomware or Trojan downloaders that installed ransomware. During that time frame, 2,315,931 users had encountered ransomware.

The figures show that cybercriminals are now increasingly turning to ransomware to make money, although in terms of the total number of malware encounters, ransomware remains relatively low. From April 2015 to March 2016, the proportion of users who encountered ransomware out of the total number who encountered other forms of malware increased from 3.63% to 4.34%, a rise of 0.7 percentage points.

Ransomware Study Shows Rise in Popularity of Crypto-Ransomware

The Kaspersky ransomware study clearly shows the rise in popularity of crypto-ransomware with cybercriminals. Compared to 2014-2015, the last 12 months has seen the percentage of individuals who encountered crypto-ransomware rise by 25 percentage points. 31.6% of ransomware encounters are now with cryptors. Attacks using cryptors jumped by 5.5% to 718,536 attacks between 2015 and 2016.

Kaspersky Lab also noted a fall in the use of Windows lockers. Attacks using Win-lockers fell by 13.03% over the same period, falling from 1,836,673 attacks in 2014-2015 to 1,597,395 attacks in 2015-2016.

Windows blockers are not particularly sophisticated and are relatively easy to resolve; however, the same is not true of crypto-ransomware infections. An infection with a Windows-blocker can be reversed without paying a ransom demand. The victim could simply re-install their operating system. This may not be an ideal solution, and it can be time consuming, but the victim would be able to recover all of their files.

With crypto-ransomware that is not the case. If a ransom demand is not paid, the victim would not be able to unlock their files. The decryption keys are all held by the attackers. The only way to recover from a crypto-ransomware attack without paying the ransom demand is by restoring files from a backup. If no backup exists, the victim must pay the ransom or forever lose their files. Because of this, victims are more likely to pay the ransom. It is therefore no surprise that cybercriminals are increasingly trying to cryptors.

Businesses Increasingly Being Targeted

The Kaspersky Lab ransomware study shows that businesses are now increasingly being targeted. Not only will businesses be more likely to pay the ransoms, since ransoms are set per device, the infection of a business network of multiple computers would represent a big pay day for an attacker. Between 2014 and 2016, attacks on businesses rose from 6.80% of all attacks to 13.13%.

The ransomware variants used to attack businesses and individuals has changed significantly over the past 12 months. In 2014-2015, CryptoWall accounted for the lion’s share of attacks (58.84%). Other attacks used a variety of different ransomware variants, the main other variants were Cryaki (5.66%) and Scatter (4.40%).

In 2015-2016, the main ransomware variant was Teslacrypt, which accounted for 48.81% of ransomware attacks. However, many new variants were also extensively used. CTB-Locker accounted for 21.61% of attacks, Scatter 8.66%, Cryaki 7.13%, CryptoWall 5.21%, and Shade 2.91%. Attacks using Locky were just starting late in the year. Locky accounted for 0.62% of all attacks between 2015 and 2016. The “Others category” decreased considerably from 22.55% of attacks in 2014-2015, to 2.41% in 2015-2016. Kaspersky Lab attributes this to the sharing of crypto-ransomware kits by ransomware developers.