Cerber, a new ransomware strain that appeared at the start of the year, remains very busy, researchers said.
The ransomware, believed created by Russian developers, was very busy in April and May, said researchers at Check Point, an Israeli security firm.
The ransomware uses TTS (Text-To-Speech) to read out its ransom note to victims.
Since then, the ransomware has constantly evolved to add new features.
The two most recent waves were bigger than usual, something that that caught the eye of researchers.
The first wave took place between April 4 and 18 while the second took place between May 20 and 31, according to a blog post by Tamara Leiderfarb, technology leader, advanced host threat prevention group, and Omer Dembinsky, lead data analyst, threat intelligence at Check Point.
Attackers released an email spam containing Office documents with malicious macros that were downloading and installing the ransomware.
This particular campaign hit users in the U.S. the hardest, with 41 percent of all targets residing in that country. Second were users in Turkey, followed by the UK, Israel, and Taiwan.
The second Cerber ransomware spam flood perfectly overlapped with another massive spam campaign that occurred at the same time.