While ransomware can infect computers anywhere, researchers from security firm Malwarebytes say certain cities have been particularly hard hit, with the Las Vegas area at the top of the list.
The Santa Clara company detects the malicious software on devices in the Las Vegas/Henderson area at a rate 500 times the average of the top 40 U.S. cities by ransomware detection, the company said this week. The city sees the most infections overall, as well as the most infections per computer and per resident, according to the company.
That may be in part due to the number of tourists and convention-goers bringing their laptops to Las Vegas—then, after days filled with work and play, forgetting all the lessons they’ve heard about keeping their computers safe, says Adam Kujawa, head of malware intelligence at Malwarebytes.
“They might have a few drinks, they’ll relax, they’ll see a show—that kind of environment is created almost specifically to lower people’s guards,” he says. “It makes it a really prime situation for cybercriminals to dupe users.”
After ransomware gets on a computer, it typically encrypts files and effectively holds them prisoner until the owner pays a bounty. It’s often installed by clicking on attachments in scam emails or through automated downloads from malware-infected websites.
While security firm Symantec said in a July report that the majority of ransomware infections are on consumer-owned, rather than corporate, machines, the attacks have also disabled computers at institutions from hospitals to police departments. Last month, the San Francisco Municipal Transportation Agency shut down fare payment systems and offered free subway rides after the agency said ransomware struck more than 900 office computers.
“The SFMTA has never considered paying the ransom,” the agency said in a statement. “We have an information technology team in place that can restore our systems, and that is what they are doing.”
In general, corporate networks get infected through the same types of attacks that infect personal machines, Kujawa says.
“The intentional attack of large organizations, while it does happen, is not that common, and much more often these people might get infected by a mass campaign that one of their employees might fall for, and then it spreads through the network,” he says.
The company’s study, which tracked 400,000 cases where ransomware was detected from July through October, including incidents in more than 200 countries, found the U.S. overall had by far the greatest share of ransomware attacks, with 26% of all studied incidents, similar to numbers reported earlier this year by Symantec.
“We wanted to see exactly what countries, what parts of the world, and even what cities were being hit the most,” Kujawa says. “We found that the USA was actually hit the most, more than any country out there, with Germany being hit second.”
Ransomware attackers use increasingly sophisticated and targeted phishing emails to dupe victims, often masquerading as banks or payment providers like PayPal, he says. Many attackers are customers of so-called ransomware-as-a-service providers, which develop the software and split profits with attackers who craft the actual emails luring victims.
“If they want to hire a scammer or spammer or somebody who might be running a malvertising campaign or just a drive by exploit campaign, they can do that,” Kujawa says.
The most common ransomware variant found in the Malwarebytes study was Cerber, which first appeared in March and is believed to be created by a ransomware-as-a-service provider based in Russia. The malware will generally refuse to infect computers in Russia and other former Soviet nations, according to Malwarebytes.
Rounding out the list of top U.S. cities for ransomware infection were Memphis, Tennessee; Stockton, California; Detroit, Michigan; Toledo, Ohio; Cleveland, Ohio; Columbus, Ohio; Buffalo , New York; San Antonio, Texas; and Fort Wayne, Indiana, according to Malwarebytes.