Skip to main content
Skip to main content
Microsoft Security

Ransomware: Understanding the Risk

  • Tim Rains

Ransomware is a type of malware that holds computers or files for ransom by encrypting files or locking the desktop or browser on systems that are infected with it, then demanding a ransom in order to regain access. Criminals have used high pressure techniques to get victims to pay the ransom, such as:

  • Make encrypted data unrecoverable after a certain period of time
  • Threaten to post captured (potentially sensitive) data publicly
  • Use fear by claiming to be law enforcement and threaten prosecution
  • Increase the ransom payment amount as time goes on
  • Render the machine unbootable when it overwrites the Master Boot Record and encrypts physical sectors on disk
  • Threaten to erase all data and render all enterprise computers inoperable

Figure 1: An example of a ransomware ransom demand

There is heightened concern across the industry about ransomware because of some high profile cases that illustrate ransomware isn’t just a threat for consumers to worry about, as it is being used in attacks on enterprises as well.

Although we know attackers that leverage ransomware are motivated by profit, the underlying reasons they have attacked specific organizations or industries are not as straight forward. Some attackers might very well be targeting specific industries with ransomware attacks. Other attackers might simply be leveraging their capabilities; i.e. they have developed the capability to exploit specific vulnerabilities in specific platforms or specific line-of-business applications that happen to be primarily used in, or get heavy use by, specific industries.

Ransomware is a topic that I have written about in the past (Ransomware: Ways to Protect Yourself & Your Business, Ransomware is on the Rise, Especially in Europe) and that we have covered extensively in some volumes of the Microsoft Security Intelligence Report. The Microsoft Malware Protection Center has provided extensive information about this category of threats (Ransomware, No mas, Samas: What’s in this ransomware’s modus operandi?, The three heads of the Cerberus-like Cerber ransomware, Locky malware, lucky to avoid it, MSRT October 2015: Tescrypt, MSRT September 2015: Teerac, MSRT July 2015: Crowti, Emerging ransomware: Troldesh, Your Browser is (not) Locked, etc.)

Given the heightened concern in the industry, I thought it was time to examine if the risk associated with this threat category has been increasing. This will help CISOs, security teams, and risk managers understand if they should prioritize this risk differently now than they have in the past. As always, risk is the combination of probability and impact.

Let me start by providing some data and insights that will help organizations understand the probability component associated with the risk of ransomware. Using data from the Microsoft Security Intelligence Report, which includes data based on telemetry from hundreds of millions of systems around the world, we can see that ransomware has been encountered worldwide much less frequently than almost all other types of malware. Figure 2 illustrates the encounter rates for malware categories for each quarter ending in the second quarter of 2015. The encounter rate (ER) is the percentage of computers running Microsoft real-time security software that report detecting malware or potentially unwanted software during a quarter. Most of these encounters are from systems running Microsoft Security Essentials or Windows Defender reporting that they blocked malware from installing on them.

Figure 2: Encounter rates for significant malware categories, third quarter of 2014 (3Q14) – second quarter of 2015 (2Q15)

The worldwide ER for ransomware in the first quarter of 2015 (1Q15) was 0.35 percent and 0.16 percent in the second quarter (2Q15) as seen in Figure 2. While the ER for Trojans was 3.92 percent and 4.45 percent in 1Q15 and 2Q15 respectively. That means the ER for Trojans was 11 times higher than the ransomware ER in 1Q15 and 28 times higher in 2Q15. More recent data for the last half of 2015 suggests there was a slight increase in the ER for ransomware (0.26 percent in 3Q15, 0.40 percent in 4Q15), but it’s still a fraction of 1 percent and much lower than almost every other category of malware. The most recent data, from the last month (March 2016), suggests that the worldwide ER for ransomware was 0.2 percent, putting it almost on par with the ER for Trojan Downloaders & Droppers, but still lower than viruses (file infectors) and most other threat categories.

Although the global encounter rate is just a fraction of a percent, there are some countries/regions that have higher ransomware encounter rates. i.e. the probability of encountering ransomware is higher in some locations than others. For example, the ER in Mexico was 5 times higher at 0.8 percent during the same period. France and Canada had ransomware encounter rates 4.4 times higher than the worldwide average at 0.7 percent, while the United States, Russia and Turkey all had elevated ransomware encounter rates, 3.75 times higher than the worldwide average, at 0.6 percent.

The locations that had the highest ransomware ERs in the world in 2015 are listed in Figures 3 and 4. Portugal and Italy were among the locations with the highest ransomware ERs in both halves of 2015.

Figure 3 (left): The countries/regions with the highest ransomware encounter rates in the world in the first half of 2015; Figure 4 (right): The countries/regions with the highest ransomware encounter rates in the world in the second half of 2015

Although the ransomware ER in the UAE, for example, in the first half of 2015 was the highest in the world, ransomware is still one of the least encountered categories of threats there as Figure 5 illustrates. A ransomware family does not appear in the top 10 list of threats in the UAE.

Figure 5: Malware encountered in the United Arab Emirates in the second quarter of 2015, by category

The infection rate is typically a fraction of the ER because systems have to encounter malware before they can get infected. Data in several volumes of the Security Intelligence Report suggests that 70 percent to 80 percent of systems that run the MSRT also run up-to-date real time antivirus. This means most systems will be able to block the installation of known commodity ransomware before they can become infected. Thus ER is typically much greater than the actual infection rate.

The malware infection rate, called the Computers Cleaned per Mille (CCM), is measured by the number of computers cleaned for every 1,000 unique computers that run the Windows Malicious Software Removal Tool (MSRT). For example, if MSRT has 50,000 executions in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000).

Detection for new malware families are typically added to the MSRT every month. The MSRT cleans many of the most prevalent families of ransomware like Win32/Crowti, Ransom: Win32/Reveton, and Win32/Samas. Of these, Crowti had the highest CCM in the second half of 2015, 0.04 in 3Q15 and 0.01 in 4Q15. This means that for every 1,000 systems the MSRT executed on in the fourth quarter of 2015, 0.01 was cleaned of Crowti; that’s 1/1000 of a percent of the hundreds of millions of systems the MSRT executes on each month.

The ER data I outlined above suggests that ransomware represents a risk that has been lower probability relative to other types of malware in most parts of the world. But the rapid evolution of ransomware suggests that these numbers could rise in the future. Email (spam, spear-phishing, etc), social engineering using Word and Excel macros, drive-by download attacks, and removable storage devices (USB drives) are among the most common ways attackers have distributed ransomware. This has been evolving rapidly.

The ability for less-skilled attackers to mount ransomware campaigns has increased recently, due to the emergence of ransomware-as-a-service (RaaS) offerings on the darkweb. Sarento and Enrume are ransomware families that are examples of this approach. Ransomware is being increasingly paired with exploit kits, such as JS/Axpergle (a.k.a. Angler), and other malware to gain persistence in victims’ environments. More attackers using more distribution points has led to more enterprises encountering ransomware as figures 6 and 7 illustrate. Additionally, ransomware can be distributed to systems via other malware, i.e. existing infections, to increase attacker monetization of the assets they control.

When comparing these figures, notice how the ER for ransomware increased between the first and second halves of 2015 surpassing the ER of Password Stealers & Monitoring Tools. Also notice that the ER for ransomware on domain joined systems surpassed that of non-domain joined systems.

Figure 6: Malware and unwanted software encounter rates for domain-based and non-domain computers, in the first half of 2015, by category

Figure 7: Malware and unwanted software encounter rates for domain-based and non-domain computers, in the second half of 2015, by category

More sophisticated attackers that target enterprises try to encrypt as much of their target’s critical data as possible. To do this, they need to move beyond encrypting data on a single device. They use all the dirty tricks in their toolkits to get a foothold in an organization’s IT environment including exploiting unpatched vulnerabilities, taking advantage of misconfigured systems and weak passwords, and of course social engineering.

The main entry points for these attacks are vulnerable Internet facing servers and user workstations. Once they have compromised a single system, they use tactics similar to “APT” style attacks to traverse the infrastructure looking for more data to encrypt. To do this, they will gather credentials on the initial point of entry, attempt to gain elevated privileges (e.g. domain administrator), use those credentials to map out the organization’s network, then move laterally to new hosts, gathering more credentials that will allow them to encrypt data on as many machines as possible. Attackers will also deny the victim organization access to their backups, if they can, to increase the motivation to pay the ransom.

Once attackers have access to data (.pdf, .xlsx, .docx, etc) they believe is valuable to the victim organization, they encrypt it. As ransomware has been evolving, more of this malware has been employing correctly implemented strong encryption algorithms (Advanced Encryption Standards (AES) for example), that prevents recovery without a valid decryption key or restoring the original files from backup. Without backups, the impact of this type of attack to a business could be severe; the loss of intellectual property, customer data, and financial records could have irreversible consequences on a business.

The Samas family (Ransom:MSIL/Samas) of ransomware is a great example of ransomware using some of these tactics.  The MMPC has published a great article on this family: No mas, Samas: What’s in this ransomware’s modus operandi?

Detection for Samas was added to the MSRT in April 2016. The infection rate (CCM) for Samas is virtually zero, as it has only been seen used in targeted attacks versus used in broad attacks as commodity ransomware.

Figure 8: Ransom:MSIL/Samas infection chain

Ransomware has been evolving quickly. Last month (March 2016) the top 5 ransomware families encountered included Ransom:Win32/Tescrypt, Ransom:Win32/Locky, Ransom:Win32/Crowti, Ransom:JS/Brolo, Ransom:Win32/Teerac.

Although commodity ransomware has relatively low encounter rates and low infection rates, when determining the probability and impact in ransomware risk calculations it’s important to consider that ransomware is also being used as part of ransomware-as-a-service kits and by determined adversaries in targeted attacks.

The fact that ransomware families aren’t very prevalent at this point is good news. But that doesn’t make it any less painful to the users and organizations that have been victimized. This is why Microsoft is so committed to continually raising the bar on attackers and helping our customers with these threats. There is a plethora of mitigations available for enterprise customers, both on-premises and cloud-based. Windows 10 has numerous advanced security features that can make it much harder for attackers to be successful with ransomware. The Office 365 Security team published an excellent article that provides some great mitigations, a highly recommended read: How to Deal with Ransomware.

Additionally, I asked some of the experts in Microsoft’s Enterprise Cybersecurity Group to provide some guidance based on the work they are doing to help enterprise customers protect, detect and respond to ransomware cases. The Enterprise Cybersecurity Group has unique, industry-leading cybersecurity expertise from client to cloud that I’m excited to tap. They have helped numerous enterprise customers protect, detect and respond to some of the most sophisticated ransomware attacks to date. This experience informs their approach, something partially summarized in the table below.

Detect Ingress protections
Auto-scale endpoint protections
Behavioral and deterministic detections leveraging Deep Packet Inspection
Protect Reputational services
High Value Asset protection, containment, isolation
Respond Response planning
Offline backups
Regular hunting and validation

We will share more from the Enterprise Cybersecurity Group in the next article in this series on ransomware.

Tim Rains
Director, Security