Ransomware has a great advantage for criminals over other forms of cyber plunder: It’s fast, and and it works.

Forget about the months it may take to craft a spear phishing campaign, infiltrate a target, find and assemble data to exfiltrate and then try to sell the information. Ransomware can be widely disbursed, with the threat actor only having to sit back and watch the bitcoin roll in. It counts on victims being unprepared with backups and desperate to restore their systems. Criminals don’t even have to compile code because there are ransomware-as-a-service sites on the Dark Web.

So it’s no surprise that one unnamed security expert told CSO Online that ransomware pulled in US$1 billion last year.

This week there’s news of three more versions of ransomware in the open:

–Following up on last month’s discovery of two actors attacking misconfigured MongoDB databases, a third participant has popped up  who has hit 221 victims so far. Victims are given 72 hours to email to send .15 bitcoin to a specified wallet. The post says it isn’t clear if these are actually three different people, or the same person using different names. A number of  MongoDB installations are backup or test environments running on Amazon AWS, the post also notes, so the victims may not know yet they’ve been hit;

–A ransomware family called FireCrypt has been discovered by MalwareHunterTeam, which comes as a kit for building the malware. According to this post the author uses a command-line application that automates the process of putting FireCrypt samples together, giving the ability to modify basic settings without having to tinker with bulky IDEs that compile its source code.

Compared to other ransomware builders, says this report, FireCrypt is relatively unsophisticated. Still, authors can generate a unique ransomware executable, give it a custom name, and use a personalized file icon to disguise the executable as a PDF or DOC file;

–Someone with a strange sense of humor has created a ransomware version that tries to teach victims a lesson in safe computing. Dubbed Koolova, it gives victims a decryption key not for money but for reading two security articles, one of which is a Google Security Blog called Stay safe while browsing. Don’t read the articles and the machine stays encrypted. A security researcher discovered the code while it’s still under development. So far, apparently, it’s not in the wild.

Security experts are divided on what 2017 will see for ransomware, with some believing it will dramatically expand while others forecasting a decline as law enforcement agencies around the world band together to fight the malware.

Just before the year ended McAfee was one security vendor that predicted a decline in ransomware compared to 2016 — although that drop won’t start until the second half of this year.  “We predict that initiatives like the it forecast. 

As always the best defence an organization has against malware is an updated backup.