FortiGuard Labs Threat Research

CryptoWall, TeslaCrypt and Locky: A Statistical Perspective

By Roland Dela Paz | March 07, 2016

It’s been over two weeks since we reported about Locky and predicted that it will be a major player in the ransomware scene. We decided to check our Intrusion Prevention System (IPS) telemetry statistics for CryptoWall, TeslaCrypt and Locky two weeks after (Feb 17th to March 2nd) to see how Locky is doing and where it sits compared to its more seasoned counterparts.

While the statistics cover a short timeframe, it does give some insights not only on Locky’s early operations but also on how these three major ransomware families are affecting users on a global scale, which we intend to share in this post.

In total, we collected over 18.6 million hits from CryptoWall, TeslaCrypt and Locky C&C communications. It is important to consider that when analysing IPS hits, malware may communicate to its C&C server multiple times. In this case, analysing the ratios of these numbers provide more meaningful results.

The following shows the distribution of hits for the three ransomware families:

Figure 1. Distribution of Cryptowall, TeslaCrypt and Locky IPS hits

As predicted, Locky already covers a big chunk of the infections in the two weeks of its existence. It also surpassed TeslaCrypt infections which shows significantly lower hits.


Below are the top 10 affected countries for Locky with U.S., France and Japan as the top three most hit countries:

Figure 2. Top 10 affected countries for Locky

A heat map of all Locky infections is as follows (darker color indicate higher infections). You can point your mouse pointer to each affected country to see the actual percentages:

Figure 3. Heat map of Locky infections


For CryptoWall, U.S., Japan and Turkey were hit most in the past two weeks:

Figure 4. Top 10 affected countries for CryptoWall

Heat map of CryptoWall infections:

Figure 5. Heat map of CryptoWall infections


Korea appears to be the most hit by TeslaCrypt, followed by U.S. and Turkey:

Figure 6. Top 10 affected countries for TeslaCrypt

Heat map of TeslaCrypt infections:

Figure 7. Heat map of TeslaCrypt infections

Putting the pieces together

Based on the data collected, we can deduce the following takeaways from CryptoWall, TeslaCrypt and Locky’s current operation:

  • Locky ransomware is now confirmed to have a significant presence in the ransomware landscape, seconding CryptoWall and surpassing TeslaCrypt infections.
  • CryptoWall is currently a far more prevalent threat than Locky and TeslaCrypt with TeslaCrypt showing far less activity than its two counterparts.
  • U.S. is the most hit country, consistently appearing in the top 3 most affected countries.
  • U.S., Japan, Canada and Mexico all appeared in the top 10 most affected countries for all three ransomware families.

Fortinet detects CryptoWall, TeslaCrypt and Locky network communications via the IPS rules Cryptowall.Botnet, Teslacrypt.Botnet and Locky.Botnet respectively.

For further reading regarding these ransomware families, you can visit our previous blog posts below:




-= FortiGuard Lion Team =-