February 16, 2017
Microsoft’s break down of the ransomware threat to Windows machines in 2016 offers some rare good news, but it still found that four million PCs were held hostage last year.
Microsoft’s built-in Windows Defender Antivirus offers it a unique perspective on the impact that ransomware is having on Windows users worldwide, which are the main target of file-encrypting malware.
Australia, Korea, Spain, Germany, and France all registered more than 100,000 encounters with ransomware last year, according to Microsoft. In this US, over 460,000 computers were exposed to ransomware, while Italy and Russia saw 252,000 and 192,000 encounters.
According to Microsoft, these encounters were due mostly to over half a billion spam emails that were sent each quarter containing a ransomware downloader — a malicious software tool, usually carried within documents, that installs the ransomware payload on a computer.
Fortunately, only a fraction of these downloaders translate to an actual infection, at which point files are encrypted and the victim either pays up, accepts the loss of files, has a backup plan, or is lucky enough to be infected by a variant for which a decryption tool exists.
Microsoft says these spam-delivered ransomware downloaders made it to 13.4 million computers.
The other way ransomware reaches PCs is via exploit kits on web pages. A total of 4.5 million PCs were exposed to two exploit kits known to deliver mostly ransomware over other malware, such as banking trojans.
Overall, Microsoft counted 3.9 million computers that ended up being exposed to a ransomware payload from either spam or an exploit kit.
The good news is that instances where Windows users encountered a ransomware payload dropped significantly in the second half of 2016, from nearly 400,000 in August to 200,000 in September. These numbers may be lower from other ransomware estimates because it excludes downloaders and other components, according to Microsoft.
The bad news is that exposure to ransomware downloaders -- the key conduit to a ransomware infection -- didn’t decline at all.
“There wasn’t a decline in the volume of emails that carry these ransomware downloaders. In the last quarter of 2016, we saw 500 million such emails. The downloader trojans ended up in at least one million computers every month in the same period. Clearly, cybercriminals have not stopped trying to infect computers with ransomware,” noted Microsoft.
Microsoft says it’s doing a better job of blocking spam with ransomware downloaders. This would be a positive development, given the rise in spam for delivering ransomware.
However, it notes that half of the 200 ransomware families it’s tracking were discovered in 2016, most of which use encryption to lock victims out rather than merely locking the victim’s screen. The top five ransomware families included Cerber, Locky, Crowtu, Tescrypt, and Teerac.
Microsoft notes that its upcoming Windows 10 Creators Update will integrate Windows Defender Antivirus and Office 365 security measures to reduce opportunities for attackers to exploit email to gain a ransomware infection.