{"id":6630,"date":"2017-02-14T14:00:45","date_gmt":"2017-02-14T22:00:45","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/14\/news-449\/"},"modified":"2017-02-14T14:00:45","modified_gmt":"2017-02-14T22:00:45","slug":"news-449","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/14\/news-449\/","title":{"rendered":"Ransomware: a declining nuisance or an evolving menace?"},"content":{"rendered":"<p><strong>Credit to Author: msft-mmpc| Date: Tue, 14 Feb 2017 21:56:15 +0000<\/strong><\/p>\n<p>The volume of ransomware encounters is on a downward trend. Are we seeing the beginning of the end of this vicious threat?<\/p>\n<p>Unfortunately, a look at the attack vectors, the number of unique families released into the wild, and the improvements in malware code reveals otherwise.<\/p>\n<p>Ransomware was arguably the biggest security story of 2016. It certainly was one of the most prevalent threats. Our monitoring of the ransomware ecosystem in 2016 shows:<\/p>\n<ul>\n<li>Every quarter, more than 500 million emails sent by spam campaigns carry ransomware downloaders that attempt to install ransomware on computers<\/li>\n<li>These ransomware downloaders found their way into 13.4 million computers<\/li>\n<li>On the other hand, 4.5 million computers were exposed to the <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/tag\/meadgive\/\">Meadgive<\/a> and <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/tag\/neutrino\/\">Neutrino<\/a> exploit kits, whose primary payload is ransomware<\/li>\n<li>All in all, the ransomware payload of these spam and exploit kit campaigns were observed in 3.9 million computers in 2016<\/li>\n<\/ul>\n<p>The impact of ransomware attacks extended beyond consumers as businesses and the public sector fell victim to the threat. Mainstream news coverage of attacks, including stories of <a target=\"_blank\" href=\"https:\/\/www.nytimes.com\/2016\/02\/19\/business\/los-angeles-hospital-pays-hackers-17000-after-attack.html\">a California hospital paying ransom<\/a> to restore important medical files and the <a target=\"_blank\" href=\"http:\/\/www.forbes.com\/sites\/thomasbrewster\/2016\/11\/28\/san-francisco-muni-hacked-ransomware\/\">interruption of the San Francisco transport system<\/a>, injected ransomware deeper into mainstream consciousness. In September, a <a target=\"_blank\" href=\"http:\/\/bigstory.ap.org\/article\/3855ee21f660445fb8cb97bda7d2372d\/europol-ransomware-now-top-cybercrime-threat\">Europol report<\/a> cited ransomware as the biggest cyber threat, overtaking data-stealing malware and online banking trojans.<\/p>\n<p>Interestingly,\u00a0data\u00a0from Windows Defender Antivirus\u00a0shows an interesting trend: after peaking in August, when 385,000 encounters were registered, ransomware encounters dropped almost 50% in September, and it has continued to decline.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1089\" height=\"382\" class=\"alignnone size-full wp-image-11295\" alt=\"ransomware-monthly-encounters\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/02\/ransomware-monthly-encounters.png\" \/><\/p>\n<p><em>Figure 1. Monthly encounters of ransomware payload files, excluding downloaders and other components; some industry figures combine the two<\/em><\/p>\n<p>Does this trend signal that we are seeing the end of ransomware? A look at other areas of the ransomware ecosystem reveals otherwise.<\/p>\n<p>(Note: This blog post is the second in the 2016 threat landscape review series, following a <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/01\/23\/exploit-kits-remain-a-cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series\/\">review of exploit kits<\/a>. The series looks at how major areas in the threat landscape are evolving. In future blogs, we will look at how support scam malware and macro malware transformed in the past year.)<\/p>\n<h2>Ransomware blocked before arrival<\/h2>\n<p>To understand if ransomware is on the decline, we need to look at other areas of the infection chain, starting with attack vectors. Windows Defender Antivirus data and our research on ransomware downloaders\u2014the primary ransomware attack vector in 2016\u2014tell a different story.<\/p>\n<h3>Trojan downloaders distributed via email campaigns<\/h3>\n<p>Downloader trojans like <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=TrojanDownloader:JS\/Nemucod\">Nemucod<\/a> and <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=TrojanDownloader:O97M\/Donoff\">Donoff<\/a> install ransomware on target computers. Often taking the form of documents or shortcut files, these downloaders are distributed via email campaigns that use various social engineering tactics.<\/p>\n<p>There wasn\u2019t a decline in the volume of emails that carry these ransomware downloaders. In the last quarter of 2016, we saw 500 million such emails. The downloader trojans ended up in at least one million computers every month in the same period. Clearly, cybercriminals have not stopped trying to infect computers with ransomware. In fact, up until the very end of 2016, we witnessed <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/11\/23\/dont-let-this-black-friday-cyber-monday-spam-deliver-locky-ransomware-to-you\/\">Nemucod email campaigns delivering Locky<\/a> and <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/12\/21\/no-slowdown-in-cerber-ransomware-activity-as-2016-draws-to-a-close\/\">Donoff campaigns delivering Cerber<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1089\" height=\"407\" class=\"alignnone size-full wp-image-11305\" alt=\"ransomware-monthly-encounters-and-downloader\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/02\/ransomware-monthly-encounters-and-downloader.png\" \/><\/p>\n<p><em>Figure 2. While ransomware encounters showed a significant decline at the end of 2016, encounters of ransomware downloaders was higher on average in the second half compared to the first half<\/em><\/p>\n<p>Clearly, the decline in ransomware encounters was not for lack of trying by cybercriminals. We\u2019re still seeing huge volumes of email carrying ransomware downloader trojans. However, ransomware infections were blocked at this entry point. This is an interesting development, because in 2016 we saw ransomware operators shift from exploit kits to email as their preferred infection vector.<\/p>\n<h3>Exploit kits<\/h3>\n<p>The <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/tag\/neutrino\/\">Neutrino<\/a> exploit kit was used to install <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Locky\">Locky<\/a> ransomware in computers. We saw Neutrino use increase in the middle of 2016, filling in the hole left by the <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Exploit:JS\/Axpergle\">Axpergle<\/a> (aka, the Angler exploit kit) when it disappeared in June.\u00a0 Apparently, Neutrino started scaling down in September as its operators reportedly went private, opting to cater to select cybercriminal groups.<\/p>\n<p>Another popular exploit kit, <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/tag\/meadgive\/\">Meadgive<\/a> (aka, the RIG exploit kit), primarily delivered Cerber ransomware. In 2016, we saw the use of Meadgive steadily increase, as it became a top exploit kit used to deliver malware. As late as December 2016, we detected a Meadgive campaign distributing the latest version of Cerber, primarily in Asia and in Europe.<\/p>\n<p>Although the usage of <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/01\/23\/exploit-kits-remain-a-cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series\/\">exploit kits is falling<\/a>, we continue to see ransomware using exploit kits to infect computers. This is because ransomware campaigns can use exploits to elevate privileges and run potentially harmful routines with fewer restrictions.<\/p>\n<h2>Attackers continue to innovate<\/h2>\n<p>Another indication that we have not seen the end of ransomware are the numerous innovations in malware code we observed in 2016. Cybercriminals are continually updating their wares. For instance, toward the end of 2016, we documented significant <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/12\/21\/no-slowdown-in-cerber-ransomware-activity-as-2016-draws-to-a-close\/\">updates to the latest Cerber version<\/a>.<\/p>\n<p>These improvements in malware code are cascaded in attacks via <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/portal\/mmpc\/shared\/glossary.aspx#ransomware-as-a-service\">ransomware-as-a-service<\/a>, which provides a business model that makes the latest versions of ransomware available for cybercriminals in underground forums. This business model makes it easier for cybercriminals with the resources and motivation to launch attacks.<\/p>\n<p>The following are some of the improvements in ransomware behavior we saw in 2016.<\/p>\n<h3>Server targeting<\/h3>\n<p>The discovery of <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:MSIL\/Samas\">Samas<\/a> ransomware in early 2016 cemented ransomware as a major problem for commercial companies. With ransomware that specifically targeted servers, IT administrators not only needed to protect endpoints, they also had to ramp up their server protection.<\/p>\n<p>Samas campaigns <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/03\/17\/no-mas-samas-whats-in-this-ransomwares-modus-operandi\/\">exploited server vulnerabilities<\/a>. The campaigns searched for vulnerable networks using pen-testing tools and deployed various components to encrypt files on servers.<\/p>\n<h3>Worm capabilities<\/h3>\n<p><a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:Win32\/ZCryptor.A\">Zcryptor<\/a> exhibited a capability to spread, demonstrating that some ransomware didn\u2019t need to rely on campaigns to move from endpoint to endpoint. It identifies network drives, logical drives, and removable drives that it can use to spread. Only a few days into 2017, <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:Win32\/Spora\">Spora <\/a>was discovered sporting similar behavior.<\/p>\n<h3>Alternative payment and contact methods<\/h3>\n<p>Traditionally, ransomware demanded that victims pay in Bitcoin through underground websites in the Tor network. In what appeared to be a response to lower rates of ransom payment, cybercriminals began to explore new ways of encouraging victims to pay.<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:Win32\/Dereilock.A\">Dereilock<\/a>, for instance, told victims to contact the attackers via Skype. <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:Win32\/Telecrypt.A\">Telecrypt<\/a>, on the other hand, used Telegram Messenger, another messaging service, as a communication channel to attackers.<\/p>\n<p>Spora went the \u201cfreemium\u201d route \u2013 victims can decrypt a couple of files for free, or a set of files for a lower ransom, presumably to show that the decryptor works.<\/p>\n<h3>Evolving social engineering tactics<\/h3>\n<p>In 2016, most ransomware started displaying a countdown timer. This can pressure victims into immediately paying ransom fearing they risk permanently losing access to their files.<\/p>\n<p>When Cerber came out in March, it created waves because in addition to the usual ransom note in text and HTML formats, a VBScript converted text into an audio message demanding ransom, prompting researchers to call Cerber the \u201cransomware that speaks\u201d.<\/p>\n<p>Another ransomware, <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:MSIL\/CornCrypt.A\">CornCrypt<\/a>, offered to decrypt files for free if the victim infected two other users, hoping to get the snowball effect rolling. Ultimately, the more victims there are, the higher the likelihood of finding victims who are willing to pay.<\/p>\n<h2>Young ransomware families are on top<\/h2>\n<p>The threat of ransomware will likely continue as seen in the number of ransomware new families being released in the wild. Of the more than 200 active ransomware families that we track, about 50% were first discovered in 2016.<\/p>\n<p>Most of these new ransomware families use encryption ransomware. This type of ransomware has eclipsed the older lockscreen ransomware, which simply locks the computer screen without encrypting files.<\/p>\n<p>In 2016, we saw multiple ransomware families that used new methods and techniques. However, the top five ransomware families accounted for 68% of all ransomware encounters in 2016.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1090\" height=\"753\" class=\"alignnone size-full wp-image-11275\" alt=\"ransomware-encounters-by-family\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/02\/ransomware-encounters-by-family.png\" \/><\/p>\n<p><em>Figure 3. Cerber and Locky, both discovered in 2016, were the top ransomware of the year<\/em><\/p>\n<p>Interestingly, the top two ransomware families were discovered only in 2016.<\/p>\n<h3>Cerber<\/h3>\n<p><a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Cerber\">Cerber<\/a> was discovered in March 2016 and got its name from the extension name it used on encrypted files. From March to December, it was observed in more than 600,000 computers.<\/p>\n<p>Cerber is being offered in underground forums as ransomware-as-a-service, allowing attackers to launch ransomware campaigns without actually writing malware code. Most of the its behaviors are controlled by a configuration file.<\/p>\n<p>The latest version of Cerber encrypts almost 500 file types. It is known to prioritize certain folders when searching for files to encrypt.<\/p>\n<p>Cerber primarily arrives via email campaigns that spread the Donoff downloader, a malware that downloads Cerber.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1088\" height=\"350\" class=\"alignnone size-full wp-image-11265\" alt=\"ransomware-cerber-donoff-encounters\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/02\/ransomware-cerber-donoff-encounters.png\" \/><\/p>\n<p><em>Figure 4. Cerber encounters dropped dramatically starting September, but encounters of Donoff, which downloads Cerber, started to increase in December<\/em><\/p>\n<p>Cerber is also known to use Meadgive or the RIG exploit kit to infect computers. Meadgive was the <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/01\/23\/exploit-kits-remain-a-cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series\/\">top exploit kit by end of 2016<\/a>.<\/p>\n<h3>Locky<\/h3>\n<p><a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Locky\">Locky<\/a> registered the second most encounters in 2016, at more than 500,000. It was discovered in February and similarly got its name from the extension name it used on encrypted files. It has since used other extension names, including .zepto, .odin, .thor., .aeris, and .osiris.<\/p>\n<p>Just like Cerber, multiple campaign operators subscribe to Locky as a ransomware-as-a-service. It contains code for its encryption routine, but it can also retrieve encryption keys and ransom notes from a remote server before encrypting files.<\/p>\n<p>Locky campaigns initially used the Neutrino exploit kit to infect computers, but later campaigns used email messages carrying Nemucod, which downloaded and executed Locky.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1088\" height=\"349\" class=\"alignnone size-full wp-image-11285\" alt=\"ransomware-locky-nemucod-encounters\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/02\/ransomware-locky-nemucod-encounters.png\" \/><\/p>\n<p><em>Figure 5. Nemucod encounters in the second half of 2016 remained steady, even though Locky encounters dropped dramatically in the same period<\/em><\/p>\n<h2>Ransomware as a global threat<\/h2>\n<p>Ransomware proved to be a truly global threat in 2016, having been observed in more than 200 territories. In the US alone, ransomware was encountered in more than 460,000 computers or 15% of global encounters. Italy and Russia follow with 252,000 and 192,000 ransomware encounters, respectively. Korea, Spain, Germany, Australia, and France all registered more than 100,000 encounters.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1520\" height=\"733\" class=\"alignnone size-full wp-image-11255\" alt=\"geographic-distribution\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/02\/geographic-distribution.png\" \/><\/p>\n<p><em>Figure 6. Ransomware was observed in over 200 territories<\/em><\/p>\n<p>In the US, Cerber registered the biggest number of encounters. Cerber was so big in the US that 27% of all encounters in the world were recorded there. Locky, the other major ransomware discovered in 2016, was the second most widespread ransomware family in the US.<\/p>\n<p>Italy and Russia show a different picture with older versions of ransomware being more prevalent. In Italy, Critroni, a ransomware that has been around since 2014, was the most prevalent. When Critroni first came out, its ransom note was in both English and Russian. Newer versions have added more European languages, including Italian.<\/p>\n<p>Troldesh, discovered in early 2015, was top in Russia. After encrypting files, Troldesh modifies the desktop wallpaper to show a message in both Russian and English. It asks victims to email the attackers for payment instructions.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1091\" height=\"934\" class=\"alignnone size-full wp-image-11315\" alt=\"ransomware-top-5-ransomware-in-top-5-countries\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2017\/02\/ransomware-top-5-ransomware-in-top-5-countries.png\" \/><\/p>\n<p><em>Figure 7. Countries with the most ransomware encounters\u2014US, Italy, Russia, Korea, and Spain\u2014are affected by different ransomware families, possibly as result of localized campaigns<\/em><\/p>\n<h2>Conclusion: an evolving menace requires evolving solutions<\/h2>\n<p>Even though there is a dip in overall ransomware encounters, a look at the attack vectors, the number of unique families released into the wild, and the improvements in malware code reveals that we have not seen the end of this multi-component threat.<\/p>\n<p>Microsoft has built and is constantly enhancing Windows 10 to arm you with protection components built directly into the operating system itself.<\/p>\n<h3>Preventing ransomware infections<\/h3>\n<p>Most ransomware infections begin with email messages that carry downloader trojans. This is the primary vector that cybercriminals use to install ransomware. <a target=\"_blank\" href=\"https:\/\/blogs.office.com\/2015\/04\/08\/introducing-exchange-online-advanced-threat-protection\/\">Office 365 Advanced Threat Protection<\/a> has machine learning capability that blocks dangerous email threats, such as the millions of emails carrying ransomware downloaders that spam campaigns send.<\/p>\n<p>Some ransomware arrive via exploit kits.\u00a0<a target=\"_blank\" href=\"https:\/\/technet.microsoft.com\/itpro\/microsoft-edge\/index\">Microsoft Edge<\/a> can\u00a0protect against ransomware by preventing exploit kits from running and executing ransomware. Using <a target=\"_blank\" href=\"https:\/\/blogs.windows.com\/msedgedev\/2015\/12\/16\/smartscreen-drive-by-improvements\/#3FYqD02TC1A6VsaL.97\">Microsoft SmartScreen<\/a>, Microsoft Edge blocks access to malicious websites, such as those hosting exploit kits.<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/technet.microsoft.com\/itpro\/windows\/keep-secure\/device-guard-deployment-guide\">Device Guard<\/a> can lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing ransomware and other dangerous software from executing.<\/p>\n<h3>Detecting ransomware<\/h3>\n<p>Ransomware authors may be some of the most prolific malware creators, introducing new families and continuously updating existing ones. They can also get creative in exploiting attack vectors to install ransomware in your computer.<\/p>\n<p>Windows 10 helps to immediately detect ransomware attacks at the first sign. <a target=\"_blank\" href=\"https:\/\/technet.microsoft.com\/en-us\/itpro\/windows\/keep-secure\/windows-defender-in-windows-10\">Windows Defender Antivirus<\/a> helps detect ransomware, as well as the exploit kits and trojan downloaders that install them. It uses cloud-based protection, helping to protect you from the latest threats.<\/p>\n<p>Windows Defender Antivirus\u00a0is built into Windows 10 and, when <a target=\"_blank\" href=\"https:\/\/technet.microsoft.com\/en-us\/itpro\/windows\/keep-secure\/windows-defender-in-windows-10\">enabled<\/a>, provides real-time protection against threats. Keep Windows Defender Antivirus and other software <a target=\"_blank\" href=\"http:\/\/www.microsoft.com\/security\/portal\/mmpc\/help\/updatesoftware.aspx\">up-to-date<\/a> to get the latest protection.<\/p>\n<h3>Responding to ransomware attacks<\/h3>\n<p><a target=\"_blank\" href=\"http:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">Windows Defender Advanced Threat Protection<\/a> (Windows Defender ATP) alerts\u00a0security operations teams about suspicious activities. These include alerts for PowerShell command execution, TOR website connection, launching of self-replicated copies, and deletion of volume shadow copies. These are <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/01\/30\/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp\/\">behaviors exhibited by some ransomware families, such as Cerber<\/a>, and could be observed in future ransomware.<\/p>\n<p>Windows Defender ATP can be <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">evaluated free of charge<\/a>.<\/p>\n<h3>Even more protection in Windows 10 Creators Update<\/h3>\n<p>On top of these existing protection features, more security capabilities will be provided with Windows 10 Creators Update. These include Windows Defender Antivirus\u00a0and Office 365 integration to create a layered protection that can help to further shrink email as an attack surface.<\/p>\n<p>Windows Defender Antivirus\u00a0will strengthen context-aware detections and machine-learning capabilities that detect behavioral anomalies, providing detection capabilities at many points in the infection chain. Better integration of threat intelligence further provides faster blocking against delivery campaigns.<\/p>\n<p>Windows Defender ATP will enable security professionals to <a target=\"_blank\" href=\"https:\/\/blogs.windows.com\/business\/2016\/12\/06\/windows-10-creators-update-advances-security-best-class-modern-tools\/#SQhJIPexlQuV4z7z.97\">isolate compromised machines from the corporate network<\/a>, stopping network outbreaks. The update will also provide an option for security professionals to specify files for quarantine and prevent subsequent execution.<\/p>\n<p>The threat of ransomware may not be going away soon, but Windows 10 will continue to improve and provide enhanced protection against this vicious threat.<\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/02\/14\/ransomware-2016-threat-landscape-review\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: msft-mmpc| Date: Tue, 14 Feb 2017 21:56:15 +0000<\/strong><\/p>\n<p>The volume of ransomware encounters is on a downward trend. Are we seeing the beginning of the end of this vicious threat? Unfortunately, a look at the attack vectors, the number of unique families released into the wild, and the improvements in malware code reveals otherwise. Ransomware was arguably the biggest security story of 2016&#8230;.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10760,10905,11334,11335,11336,10879,10534,10795,11034,10700,11337,10851,11338,3765,11339,10518,11174,11340,11341,10761,11056,10762,10865,11342],"class_list":["post-6630","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-antimalware-research-for-it-pros-and-enthusiasts","tag-cerber","tag-corncrypt","tag-critorni","tag-dereilock","tag-donoff","tag-exploit-kit","tag-locky","tag-meadgive","tag-microsoft-edge","tag-microsoft-smartscreen","tag-nemucod","tag-neutrino","tag-ransomware","tag-samas","tag-spam","tag-spora","tag-telecrypt","tag-troldesh","tag-windows-10","tag-windows-10-creators-update","tag-windows-defender","tag-windows-defender-atp","tag-zcryptor"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6630","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6630"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6630\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6630"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6630"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}