It’s been over two weeks since we reported about Locky and predicted that it will be a major player in the ransomware scene. We decided to check our Intrusion Prevention System (IPS) telemetry statistics for CryptoWall, TeslaCrypt and Locky two weeks after (Feb 17th to March 2nd) to see how Locky is doing and where it sits compared to its more seasoned counterparts.
While the statistics cover a short timeframe, it does give some insights not only on Locky’s early operations but also on how these three major ransomware families are affecting users on a global scale, which we intend to share in this post.
In total, we collected over 18.6 million hits from CryptoWall, TeslaCrypt and Locky C&C communications. It is important to consider that when analysing IPS hits, malware may communicate to its C&C server multiple times. In this case, analysing the ratios of these numbers provide more meaningful results.
The following shows the distribution of hits for the three ransomware families:
Figure 1. Distribution of Cryptowall, TeslaCrypt and Locky IPS hits
As predicted, Locky already covers a big chunk of the infections in the two weeks of its existence. It also surpassed TeslaCrypt infections which shows significantly lower hits.
Below are the top 10 affected countries for Locky with U.S., France and Japan as the top three most hit countries:
Figure 2. Top 10 affected countries for Locky
A heat map of all Locky infections is as follows (darker color indicate higher infections). You can point your mouse pointer to each affected country to see the actual percentages:
Figure 3. Heat map of Locky infections
For CryptoWall, U.S., Japan and Turkey were hit most in the past two weeks:
Figure 4. Top 10 affected countries for CryptoWall
Heat map of CryptoWall infections:
Figure 5. Heat map of CryptoWall infections
Korea appears to be the most hit by TeslaCrypt, followed by U.S. and Turkey:
Figure 6. Top 10 affected countries for TeslaCrypt
Heat map of TeslaCrypt infections:
Figure 7. Heat map of TeslaCrypt infections
Putting the pieces together
Based on the data collected, we can deduce the following takeaways from CryptoWall, TeslaCrypt and Locky’s current operation:
Fortinet detects CryptoWall, TeslaCrypt and Locky network communications via the IPS rules Cryptowall.Botnet, Teslacrypt.Botnet and Locky.Botnet respectively.
For further reading regarding these ransomware families, you can visit our previous blog posts below:
-= FortiGuard Lion Team =-