Out of the 62 ransomware families found active in 2016, security firm Kaspersky Lab says that 47 of these strains contained artifacts that allowed attribution to Russian-speaking criminals.

That means that 75% of all the ransomware families active during the past year were developed by a Russian-speaking coder, most likely hiding in one of the former Soviet states.

Clues included source code snippets, C&C server URLs, ads on underground forums, and more.

XMPP spam advertising Cerber RaaS system
XMPP spam advertising Cerber RaaS system

The proliferation of ransomware cybercrime operations in Russia was also helped by the myth that Russian authorities won't go after Russian hackers if they don't attack Russian users.

That's why, in most cases, you'll see ransomware variants that will refuse to execute if the local keyboard or language settings are set in Russian or for other neighboring countries, former members of the USSR.

A ransomware attack occurs every 10 seconds

According to telemetry recorded by Kaspersky Lab security products, ransomware has grown tremendously in the past year.

The Russian antivirus maker says that the frequency of ransomware attacks has intensified during the past year from one at every 20 seconds to one at 10 seconds towards the end of the year, with businesses being hit every 40 seconds.

In fact, experts noticed a recent trend of ransomware authors moving away from classic mass-spamming of random users to targeted attacks against high-value enterprises. One such ransomware gang is the group behind the Crysis ransomware, who's been recently using RDP brute-force attacks to infect large organizations. In the past six months, this group's activity has more than doubled, according to security firm Trend Micro.

Ransomware in 2016
Ransomware in 2016 (via Kaspersky Lab)

In total, only the company's security products picked up attacks on 1,445,434 users worldwide, albeit not all were successful, and the number might be higher if we count data from other security vendors.

Additionally, even if only 62 different ransomware strains were active in 2016, researchers detected 32,091 different variations of this small number of ransomware families, making quick detection of known threats even harder.

RaaS portals helping with ransomware popularity

Contributing to the growing popularity of ransomware attacks is the fact that some cybercrime groups behind these threats have branched out into new operations, such as renting their infrastructure to others.

Called Ransomware-as-a-Service, or RaaS, these operations automate the process of assembling a custom ransomware version (via a builder) and collecting money from users via proxy transactions (victim pays the RaaS, which sends the renter his cut).

Globe ransomware builder
Globe ransomware builder
Xorist ransomware builder
Xorist ransomware builder
ShinoLocker ransomware builder
ShinoLocker ransomware builder

The only thing renters must do is to find a way to deliver the ransomware to victims. This isn't as complicated as you'd think since there are also email spamming services and exploit kits that crooks can rent and spread their ransomware without ever having to know how a browser exploit or email server even works.

Overall, the technical skills needed to start a ransomware operation have gone down in 2016.

Kaspersky anticipates that ransomware operations will continue to grow, as more cybercrime groups will be drawn into the market by the earnings they could make.

The security firm estimates that currently, ransomware groups get to keep around 60% of all the money they make, which is huge profit margin, one that's likely to keep the ransomware wave rolling in 2017.