Security Experts:

Connect with us

Hi, what are you looking for?



CryptoWall, Locky Dominate Ransomware Landscape: Report

Locky, one of the latest file encrypting malware families to hit the virtual streets, has become the second biggest player on the ransomware landscape, researchers at Fortinet reveal.

Locky, one of the latest file encrypting malware families to hit the virtual streets, has become the second biggest player on the ransomware landscape, researchers at Fortinet reveal.

CryptoWall, which has been on the malware scene for a few years now, still holds the top spot when it comes to ransomware threats, while TeslaCrypt rounds out the top three most used encrypting malicious program at the moment.

Over a two week period between Feb. 17 and Mar. 2, Locky grew from a newcomer to becoming a significant threat to users worldwide.

According to a blog post from Fortinet’s Roland Dela Paz, the security firm’s statistics reveal that 16.47 percent of the total 18.6 million hits collected from the three major ransomware families belong to Locky. CryptoWall is at the top with 83.45 percent of these hits, while TeslaCrypt fell to the third position with only 0.08 percent hits.

Locky emerged in mid-February, when researchers at BleepingComputer detailed it as a new piece of ransomware capable of encrypting both local files and files on network shares, even if they are unmapped. The same as CryptoWall 4.0, the malware was observed encrypting filenames as well, thus making it more difficult for users to restore their data.

At the moment, Locky is being distributed via malicious documents attached to spam emails and is hitting users worldwide. The United States is the most affected country, accounting for over 51 percent of Locky infections, with France (16 percent) and Japan (9.7 percent) also among the top three most affected countries.Slovakia and Canada round up top five, Fortinet said.

CryptoWall has been a dominating threat in the ransomware landscape for over a year, and researchers estimate that its operators have made over $325 million in profits. Version 4.0 of the malware was released in October 2015 and started being distributed via the Nuclear exploit kit (EK) soon after, while being added to the Angler EK in January of this year.

While analyzing the CryptoWall infections, Fortinet discovered that the U.S. is once again the most affected country, with over 44 percent of infections, followed by Japan (8.6 percent) and Turkey (7.9 percent). Spain (5.5 percent) and Mexico (4.6 percent) are among the top five most affected regions.

Although accounting for a small number of infections, TeslaCrypt was recently added as the malicious payload in some Angler variants, and might soon regain more market share. In December, researchers observed that it was being delivered via a recently patched Adobe Flash exploit, which was added to the Angler EK only days after Adobe closed the vulnerability.

Over the aforementioned two-week window, most TeslaCrypt infections were observed in Korea (39.9 percent), Fortinet researchers reveal. The U.S. (14.6 percent), Turkey (14 percent), Canada (12.1 percent) and Japan (2.7 percent) are also among the most affected countries.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.