Mobile ransomware actors are focusing their attacks on wealthy countries. Developed markets not only have a higher level of income, but also a more advanced and more widely used mobile and e-payment infrastructure. According to Kaspersky Lab’s annual ransomware report for 2016-2017, this is appealing to criminals because it means they can transfer their ransom in just a couple of taps or clicks.

Kaspersky Lab has continued its tradition of reporting on ransomware threats with its second annual study into the issue. The report covers the full two-year period, which, for comparison reasons, has been divided into two parts of 12 months each: from April 2015 to March 2016 and from April 2016 to March 2017. We’ve chosen these timescales because they witnessed several significant changes in the ransomware threat landscape.

Mobile ransomware activity skyrocketed in the first quarter of 2017 with 218 625 mobile Trojan-Ransomware installation packages – 3.5 times more than in the previous quarter. Activity then fell to the average level of the observed two year period. Despite a small relief, the mobile threat landscape is still arousing anxiety, as criminals target nations with developed financial and payment infrastructures that can be easily compromised.

In the period of 2015-2016, Germany was the country with the highest percentage of mobile users attacked with mobile ransomware (almost 23%), as a proportion of users attacked with any kind of mobile malware. It was followed by Canada (almost 20%), the UK and the US – exceeding 15%. This changed in 2016-2017 with the US shifting from fourth to first position (almost 19%). Canada and Germany retained their top-3 ranking with almost 19% and over 15% respectively, leaving the UK ranked fourth place with more than 13%.

The rise in the United States occurred largely due to attacks from the Svpeng and Fusob malware families, the first of which is mainly targeting America. As for Fusob, this malware family was initially focused on Germany, but since Q1 2017 America has topped its list of targets with 28% of attacks. 

“These geographical changes in the mobile ransomware landscape could be a sign of the trend to spread attacks to rich, unprepared, vulnerable or yet unreached regions. This obviously means that users, especially in these countries, should be extremely cautious when surfing the web,” notes Roman Unuchek, security expert at Kaspersky Lab.

Other key findings from the KSN report-2017 include:  

• The total number of users who encountered ransomware between April 2016 and March 2017 rose by 11.4% compared to the previous 12 months (April 2015 to March 2016) – from 2 315 931 to 2 581 026 users around the world;
• The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware fell by almost 0.8 percentage points, from 4.34% in 2015-2016 to 3.88% in 2016-2017;
• Among those who encountered ransomware, the proportion that encountered cryptors rose by 13.6 percentage points, from 31% in 2015-2016 to 44.6% in 2016-2017;
• The number of users attacked with cryptors almost doubled, from 718 536 in 2015-2016 to 1 152 299 in 2016-2017;
• The number of users attacked with mobile ransomware fell by 4.62% from 136,532 users in 2015-2016 to 130,232.

The top 10 countries with the biggest share of users attacked with PC ransomware as a proportion of all users attacked with any kind of malware in 2016-2017 are: Turkey (almost 8%), Vietnam (around 7,5%), India (over 7%), Italy (around 6,6%), Bangladesh (more than 6%), Japan (almost 6%), Iran (almost 6%), Spain (almost 6%), Algeria (almost 4%), and China (almost 3,8%). This is a very different list compared to 2015-2016, as Turkey, Bangladesh, Japan, Iran, and Spain have since entered the list, all exceeding 5%.

To reduce the risk of infection, users are advised to:

• Back up data regularly.
• Use a reliable security solution, and remember to keep key features – such as System Watcher – switched on.
• Always keep software updated on all the devices you use.
• Treat email attachments, or messages from people you don’t know, with caution. If in doubt, don’t open it.
• If you’re a business, you should also educate your employees and IT teams; keep sensitive data separate; restrict access; and back up everything, always.
• If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean system to check our No More Ransom site; you may well find a decryption tool that can help you get your files back.
• The latest versions of Kaspersky Lab products for smaller companies have been enhanced with anti-cryptomalware functionality. In addition, a free anti-ransomware tool has been made available for all businesses to download and use, regardless of the security solution they have installed.
• Last, but not least, remember that ransomware is a criminal offence. Report it to your local law enforcement agency.

For help and advice on dealing with ransomware visit No More Ransom.

Check out No Ransom to find the latest decryptors, ransomware removal tools, and information about ransomware protection.