Ransomware-as-a-Service on the Rise
February 07, 2017
Findings highlights the most notable advancements made by security
professionals and cyber criminals in 2016. The report was compiled from
data collected throughout 2016 by the SonicWall Global Response
Intelligence Defense (GRID) Threat Network with daily feeds from more
than one million security sensors in nearly 200 countries and
According to the 2017 SonicWall Annual Threat Report, 2016 could be
considered a highly successful year from the perspective of both
security professionals and cyber criminals. Unlike in years past,
SonicWall saw the volume of unique malware samples collected fall to 60
million compared with 64 million in 2015, a 6.25 percent decrease. Total
malware attack attempts dropped for the first time in years to 7.87
billion from 8.19 billion in 2015. However, cyber criminals garnered
quick payoffs from ransomware, fueled partly by the rise in ransomware-as-a-service
“It would be inaccurate to say the threat landscape either diminished or
expanded in 2016 — rather, it appears to have evolved and shifted,” said
Bill Conner, president and CEO of SonicWall. “Cybersecurity is not a
battle of attrition; it’s an arms race, and both sides are proving
exceptionally capable and innovative.”
Security Industry Advances
Point-of-sale malware attacks
declined by 93 percent from 2014 to 2016.
High-profile retail breaches in 2014 led to companies adopting more
proactive security measures. Since then, the industry has seen the
implementation of chip-based POS systems, usage of the Payment Card
Industry Data Security Standard (PCI-DDS) checklist and other
ongoing security measures.
- Back in 2014, the
SonicWall GRID Threat Network observed a 333 percent increase in
the number of new POS malware countermeasures developed and
deployed compared with the year prior.
- The SonicWall GRID Threat
Network saw the number of new POS malware variants decrease by
88 percent year-over-year and 93 percent since 2014. This
implies that cyber criminals are becoming less interested in
devoting time to POS malware innovation.
Secure Sockets Layer/Transport
Layer Security (SSL/TLS) encrypted traffic grew by 34 percent,
partly in response to growing cloud application adoption.
The trend toward SSL/TLS encryption has been on the rise for several
years. As web traffic grew throughout 2016, so did SSL/TLS
encryption, from 5.3 trillion hits in 2015 to 7.3 trillion in 2016
according to the SonicWall GRID Threat Network.
- The majority of web
sessions that the SonicWall GRID Threat Network detected
throughout the year were SSL/TLS-encrypted, comprising 62
percent of web traffic.
- One reason for the
increase in SSL/TLS encryption is the growing enterprise
appetite for cloud applications. The SonicWall GRID Threat
Network has seen cloud application total usage grow from 88
trillion in 2014 and 118 trillion in 2015 to 126 trillion in
While this trend toward
SSL/TLS encryption is overall a positive one, it also merits a word
of caution. SSL/TLS encryption makes it more difficult for cyber
thieves to intercept payment information from consumers, but it also
provides an uninspected and trusted backdoor into the network that
cyber criminals can exploit to sneak in malware. The reason this
security measure can become an attack vector is that most companies
still do not have the right infrastructure in place to perform deep
packet inspection (DPI) in order to detect malware hidden inside of
SSL/TLS-encrypted web sessions.
Dominant exploit kits Angler,
Nuclear and Neutrino disappeared in mid-2016.
As 2016 began, the malware market was dominated by a handful of
exploit kits, particularly Angler, Nuclear and Neutrino. Following
the arrest of more than 50 Russian hackers for leveraging the Lurk
Trojan to commit bank fraud, the SonicWall GRID Threat Network saw
the Angler exploit kit suddenly stop appearing, leading many to
believe Angler’s creators were among those arrested. [i] For a while
following Angler’s disappearance, Nuclear and Neutrino saw a surge
in usage, before quickly fading out as well.
- The SonicWall GRID Threat
Network noticed the remaining exploit kits began to fragment
into multiple, smaller versions to fill this void. By the third
quarter of 2016, Rig had evolved into three versions leveraging
different URL patterns, landing page encryption and payload
- As with spam and other
distribution methods in 2016, SonicWall saw exploit kits become
part of the ransomware delivery machine, making variants of
Cerber, Locky, CrypMic, BandarChor, TeslaCrypt and others their
primary payloads throughout the year. However, exploit kits
never recovered from the massive blow they received early in the
year with the takedown of their dominant families.
Cyber Criminal Advances
Ransomware usage grew by 167x
year-over-year and was the payload of choice for malicious email
campaigns and exploit kits.
The SonicWall GRID Threat Network detected an increase from 3.8
million ransomware attacks in 2015 to an astounding 638 million in
2016. The rise of RaaS made ransomware significantly easier to
obtain and deploy. The unprecedented growth of the malware was
likely driven as well by easier access in the underground market,
the low cost of conducting a ransomware attack, the ease of
distributing it and the low risk of being caught or punished.
- Ransomware remained on an
upward climb throughout the year, beginning in March 2016 when
ransomware attack attempts shot up from 282,000 to 30 million
over the course of the month, and continuing through the fourth
quarter, which closed at 266.5 million ransomware attack
attempts for the quarter.
- The most popular payload
for malicious email campaigns in 2016 was ransomware, typically
Locky, which was deployed in about 90 percent of Nemucod attacks
and more than 500 million total attacks throughout the year.
- No industry was spared
ransomware attack attempts. Key industries were targeted almost
equally, including the mechanical and industrial engineering
industry with 15% of the average ransomware hits, followed by a
tie between pharmaceuticals (13%) and financial services (13%),
and real estate (12%) in third place.
“With the continued rise of
ransomware, this research from SonicWALL shows how important it is
for businesses to assess their cyber-defense strategy,” Mike
Spanbauer, vice president of Security, Test & Advisory, NSS Labs.
“In 2016 we saw major advances from cybercriminals, and believe
vendors like SonicWALL that are willing to invest and develop
technology and approaches to win against ransomware will help the
security industry get ahead of this increasingly prevalent attack
Internet of Things devices
were compromised on a massive scale due to poorly designed security
features, opening the door for distributed denial-of-service
With their integration into the core components of our businesses
and lives, IoT devices provided an enticing attack vector for cyber
criminals in 2016. Gaps in IoT security enabled cyber thieves to
launch the largest distributed denial-of-service (DDoS) attacks in
history in 2016, leveraging hundreds of thousands of IoT devices
with weak telnet passwords to launch DDoS attacks using the Mirai
botnet management framework.
- The SonicWall GRID Threat
Network observed vulnerabilities on all categories of IoT
devices, including smart cameras, smart wearables, smart home,
smart vehicles, smart entertainment, and smart terminals.
- During the height of the
Mirai surge starting in November 2016, the SonicWall GRID Threat
Network observed that the United States was by far the most
targeted, with 70 percent of DDoS attacks directed towards the
region, followed by Brazil (14%) and India (10%).
saw increased security protections but remained vulnerable to
Google worked hard in 2016 to patch the vulnerabilities and exploits
that cyber criminals have used against Android in the past, but
attackers used novel techniques to beat these security
- The SonicWall GRID Threat
Network observed cyber criminals leveraging screen overlays to
mimic legitimate app screens and trick users into entering login
info and other data. When Android responded with new security
features to combat overlays, SonicWall observed attackers
circumventing these measures by coaxing users into providing
permissions that allowed overlays to still be used.[v]
- Compromised adult-centric
apps declined on Google Play but cybercriminals continued to
find victims on third-party app stores. Ransomware was a common
payload as were self-installing apps. The SonicWall GRID Threat
Network observed more than 4,000 distinct apps with
self-installing payloads in a matter of two weeks