Ransomware Overtook Banking Trojans in H1 2019 Email Malware Campaigns

computer with ransomware notice

On July 24, Louisiana Governor John Bel Edwards issued a statewide emergency declaration after a ransomware attack affected several local government agencies. Those victimized organizations included school systems in Sabine, Morehouse and Ouachita. In response, Edwards said the state would begin working with digital security experts at the Louisiana National Guard, Louisiana State Police, the Office of Technology Services and other entities to help the affected organizations recover and prevent additional data loss.

The attack described above is just the latest in a string of campaigns that have contributed to a rise in ransomware’s prevalence this year. Indeed, the Malwarebytes Labs Cybercrime Tactics and Techniques Q1 2019 report observed a 195 percent increase in business detections of ransomware from Q4 2018 to Q1 2019. Similarly, Beazley documented a 105 percent rise in the number of ransomware attack notifications it received between the first quarter of 2018 and one year later. These attacks evolved over that course of time, Beazley found, in that they began targeting larger organizations and demanding higher ransom amounts.

These trends beg the question: how have ransomware stacked up against other digital threats thus far in 2019? Specifically, how have they fared against banking trojans, threats which according to multiple accounts dominated the threat landscape in 2018?

AppRiver examined these and other questions in its Global Security Report: Mid-Year 2019. In the report, AppRiver analysts say the company’s Advance Email Security filters  had quarantined more than 124 million emails with malware attached throughout the first six months of 2019. These emails, which put AppRiver on a track similar to the total number of malicious emails it saw the previous year, indicated a shift from banking trojans to ransomware infections. Many of these attempted ransomware attacks occurred within the context of chained malware infections, campaigns which used a dropper a to execute a ransomware binary as a second-stage payload.

Not surprisingly, a few of these ransomware attacks in the first half of 2019 made headlines. Presented below are five such infections that stood out to AppRiver:

  • Baltimore, MD: On May 7, digital attackers seized approximately 10,000 computers owned by the City of Baltimore and demanded $100,000 worth of bitcoin in exchange for the decryption keys, as reported by Vox. This attack involved a sample of the RobbinHood ransomware family.
  • Greenville, NC: Officials confirmed that the City of Greenville had suffered a ransomware attack on April 10. A member of the police department first spotted the infection and notified IT personnel, who pulled the city’s servers offline. This decision didn’t affect the city’s emergency services, as reported by SC Magazine.
  • Lake City, FL: On June 10, Lake City revealed on Facebook that it had suffered a “triple threat” attack against its computer network. This campaign delivered Emotet before distributing Trickbot as a secondary payload. This banking trojan then deployed Ryuk ransomware which disrupted the city’s email and phone systems. Ultimately, Lake City met the attackers’ demands by paying out nearly $500,000 in ransom, per ZDNet.
  • Riviera Beach, FL: Riviera Beach suffered a ransomware attack in May when digital attackers used a phishing email to upload malware onto the city’s systems. This ransomware disrupted Riviera Beach’s email system and prevented 911 dispatchers from entering calls into the computer. In response to this attack, city officials authorized the payment of $600,000 to the attackers, reported CBS News.

These attacks, when coupled with AppRiver’s findings, underscore the importance of organizations taking steps to prevent a ransomware infection. To succeed in this regard, they should use an advanced email threat protection solution such as ZixProtect to analyze multiple characteristics of incoming email in real-time, all while allowing legitimate emails to find their way to their intended destinations.

Learn how ZixProtect can defend your organization against email-based ransomware attacks.