Ransomware IOCs and Trends in Late 2015 and Early 2016
One notable event in 2015 was the discovery of the ransomware known as Linux.Encoder.1, which is considered the first ransomware to target Linux based systems. Furthermore, while the first OS X ransomware was discovered in 2014 (FileCoder), there was a new OS X ransomware in 2016 called KeRanger. It might be too early to call this a trend but obviously threat actors are looking to expand their reach.
The next noticeable change was a shift in who threat actors are targeting. For instance, SamSam (also known as Samas) was first introduced in February 2016 and made headlines for targeting enterprise networks, mainly hospitals. Instead of employing user focused attack vectors like exploit kits and phishing, which cast a wide net, SamSam uses a targeted approach. Specifically attackers behind SamSam used open source tools like JexBoss to identify vulnerable JBoss application servers. Once they had a foothold in the network they moved laterally to compromise machines and hold them ransom. A full write up on SamSam can be found here.
Below is a link for a comprehensive list of ransomware. This list is helpful for SOC analysts and the public as it contains plenty of IOCs.
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#