Crowti (also known as Cryptowall) and Tescrypt (also known as Teslacrypt) are two ransomware families that have infected over half a million PCs running Microsoft security software in the first half of 2015. Since the start of 2015, we've observed Crowti to be the most prevalent ransomware overall, accounting for 30% of all ransomware families, as shown in Figure 1.
Notice in particular that Tescrypt sits within the six families that each had less than a 5% share of the total. This is because Tescrypt is relatively new â€“ while we've seen big detection numbers between April and June, it still hasn't been enough to wipe out Crowti and Krypterade.
While Tescrypt has only been prevalent since April 2015, we've seen its infection rate spike dramatically during that time. Figure 2 shows the share it had during May, where it increased by over 600%.
Figure 3 shows a breakdown of the top 10 ransomware distribution for the past 30 days (May 19 to June 18, 2015).
Both Crowti and Tescrypt target home users and enterprise industries. Their infection chains are also similar, and we've seen that email spam and exploit kits are the main infection vectors.
Figure 4 is a representation of the infection chain for both families.
These ransomware families encrypt files on the PC and direct the machine's user to a webpage that typically asks for ransom payment using bitcoins.
See the following descriptions for a list of the file type extensions each family targets for encryption:
Crowti can be downloaded by other malware, such as:
The following are recent top 10 most-detected threats in each category for the past seven days.
I want to...