'Tis the season cyber criminals hustle to introduce a sleigh full of new wrinkles to proven attacks.

As 2016 draws to a close, ransomware, in particular, remains a top concern. Cyber criminals have become stunningly efficient at encrypting computer files, and then demanding an extortion payment to deliver a decryption key. Unfortunately, for many victims, paying off these blackmailers has become a practical option.

Know your enemy, and yourself, and you'll need not fear for 100 battles, advised Sun Tzu. In that spirit, here is some timely, detailed intel from Proofpoint, a Sunnyvale, Calif.-based cybersecurity company.

Coming wave.

The number of ransomware families increased by 53 percent July through September as compared to April through June, and is up a whopping ten-fold since December 2015. "Ransomware is easy to create, easy to distribute, and can be rapidly monetized without relying on bank transfers, money mules and other third parties," observes Patrick Wheeler, Proofpoint's Director of Threat Intelligence. "The ability of threat actors to innovate makes it likely that ransomware campaigns will continue to capitalize on 'the human factor' for some time."

This steady escalation could signal that cyber criminals are preparing to unleash a wave of ransomware attacks against consumers and companies - campaigns designed to take full advantage of the seasonal surge in Internet traffic that commences around Thanksgiving.

Shifting tactics.

All year long, elite ransomware rings have been shifting their TTPs - tactics, techniques and procedures - in response to countermeasures taken by security vendors, Wheeler tells me.

In the first half of this year, for instance, ransomware was spread mainly via drive-by downloads and malvertising. A victim needed to click to a web page set up to slip ransomware onto the visitor's computer. Or the victim needed to visit a web page at the precise moment a corrupted online ad circulated onto that page.

Proactive adaptation.

As security vendors helped companies improve their website defenses, the attackers proactively adapted. By August, email emerged as the primary delivery method for ransomware. Proofpoint analysts observed the gang behind the CryptFile2 family of ransomware, for instance, begin to blast out email offering bogus American Airlines discounts and freebies.

Instead of enticing the recipient to open a malicious attachment, the message suggested clicking a link to a Microsoft Word document hosted on a web page. It was this hosted Word doc that actually carried the ransomware. Taking these extra steps may have helped the attackers evade tougher filtering rules in email gateways, Wheeler explains.

Targeting verticals.

CryptFile2 was distinctive for another reason: it primarily targeted a couple of vertical sectors -- state and local government and K-12 schools. Then in late September, a new family of ransomware, dubbed MarsJoke, cropped up. Over the course of three days, Proofpoint detected and blocked more than 75,000 emails carrying the MarsJoke attack, which also targeted local government agencies and schools. However, instead of airline freebies, MarsJoke attempted to steer victims to click on a malicious link related to package tracking information.

Clicking to that link and opening the downloaded file triggered a black screen to appear on the victim's computer emblazoned with "Your personal files are encrypted !!!" in large red type. A dialogue box also appeared presenting the ransom instructions in English, with the option to show instructions alternatively in Russian, Italian, Spanish or Ukrainian. The victim was given 96 hours to pay for a decryption key -- or the encrypted files would be automatically deleted.


It's not hard to figure out why the CryptFile2 and MarsJoke gangs targeted government and schools at a time when budget requests were being formulated and students were returning to class. Hectic activity equals distraction and diversion, which makes social engineering much easier.

Similarly, the surge of holiday advertising and shopping translates into better cover for cyber criminals. In the weeks ahead, do not be surprised if an unprecedented number of consumers and companies find themselves having to choose between paying a hefty ransom - or losing irreplaceable files.

There are two immediate things you can do to protect yourself: back up your important files thoroughly and often, and click extra cautiously this holiday season - and beyond.