Locky, one of the latest file encrypting malware families to hit the virtual streets, has become the second biggest player on the ransomware landscape, researchers at Fortinet reveal.
CryptoWall, which has been on the malware scene for a few years now, still holds the top spot when it comes to ransomware threats, while TeslaCrypt rounds out the top three most used encrypting malicious program at the moment.
Over a two week period between Feb. 17 and Mar. 2, Locky grew from a newcomer to becoming a significant threat to users worldwide.
According to a blog post from Fortinet’s Roland Dela Paz, the security firm’s statistics reveal that 16.47 percent of the total 18.6 million hits collected from the three major ransomware families belong to Locky. CryptoWall is at the top with 83.45 percent of these hits, while TeslaCrypt fell to the third position with only 0.08 percent hits.
Locky emerged in mid-February, when researchers at BleepingComputer detailed it as a new piece of ransomware capable of encrypting both local files and files on network shares, even if they are unmapped. The same as CryptoWall 4.0, the malware was observed encrypting filenames as well, thus making it more difficult for users to restore their data.
At the moment, Locky is being distributed via malicious documents attached to spam emails and is hitting users worldwide. The United States is the most affected country, accounting for over 51 percent of Locky infections, with France (16 percent) and Japan (9.7 percent) also among the top three most affected countries.Slovakia and Canada round up top five, Fortinet said.
CryptoWall has been a dominating threat in the ransomware landscape for over a year, and researchers estimate that its operators have made over $325 million in profits. Version 4.0 of the malware was released in October 2015 and started being distributed via the Nuclear exploit kit (EK) soon after, while being added to the Angler EK in January of this year.
While analyzing the CryptoWall infections, Fortinet discovered that the U.S. is once again the most affected country, with over 44 percent of infections, followed by Japan (8.6 percent) and Turkey (7.9 percent). Spain (5.5 percent) and Mexico (4.6 percent) are among the top five most affected regions.
Although accounting for a small number of infections, TeslaCrypt was recently added as the malicious payload in some Angler variants, and might soon regain more market share. In December, researchers observed that it was being delivered via a recently patched Adobe Flash exploit, which was added to the Angler EK only days after Adobe closed the vulnerability.
Over the aforementioned two-week window, most TeslaCrypt infections were observed in Korea (39.9 percent), Fortinet researchers reveal. The U.S. (14.6 percent), Turkey (14 percent), Canada (12.1 percent) and Japan (2.7 percent) are also among the most affected countries.