Threat Intelligence

11/2/2017
05:01 PM
Dark Reading
Dark Reading
Products and Releases
100%
0%

2018 Malware Forecast: Ransomware Hits Hard, Continues to Evolve

SophosLabs looked at the most prolific ransomware variants and offers tools to better defend against them.

Sophos releases its 2018 Malware Forecast today, and the big takeaway is this: ransomware remains a huge problem for companies and isn’t going away. In 2017, attackers further perfected their ransomware delivery techniques, leading to global outbreaks such as WannaCry, NotPetya and, most recently, Bad Rabbit.

Though most ransomware is hitting Windows users, it’s clear that people aren’t immune if they use other platforms, including mobile devices. A prime example is the amount of ransomware contaminating Android apps, whether they’re in Google Play or other online sources.

Ransomware from 1 April - 3 October 2017

Ransomware remains a vexing problem for many companies. SophosLabs looked at the most prolific ransomware families and attack vectors over a six-month period with an eye toward helping those organizations cope.

The statistics below cover the six-month period between 1 April and 3 October 2017. The data was collected using lookups from customer computers.

WannaCry, unleashed in May 2017, was the number-one ransomware intercepted from customer computers, dethroning longtime ransomware leader Cerber, which first appeared in early 2016. WannaCry accounted for 45.3% of all ransomware tracked through SophosLabs, with Cerber accounting for 44.2%.

“For the first time, we saw ransomware with worm-like characteristics, which contributed to the rapid expansion of WannaCry. This ransomware took advantage of an old Windows vulnerability to infect and spread to computers, making it hard to control,” said SophosLabs researcher Dorka Palotay, who specializes in ransomware analysis. “Even though WannaCry has tapered off and Sophos has defenses for it, we still see the threat because of its inherent nature to keep scanning and attacking computers. We’re expecting cybercriminals to build upon WannaCry and NotPetya and their ability to replicate, and this is already evident with Bad Rabbit ransomware, which shows many similarities to NotPetya.”

The Sophos 2018 Malware Forecast reports on the acute rise and fall of NotPetya, ransomware that wreaked havoc in June 2017. NotPetya was initially distributed through a Ukranian accounting software package, limiting its geographic impact. It was able to spread via the EternalBlue exploit, just like WannaCry, but because WannaCry had already infected most exposed machines there were few left unpatched and vulnerable.

The motive behind NotPetya is still unclear because there were many missteps, cracks and faults with this attack. For instance, the email account that victims needed to contact attackers didn’t work and victims could not decrypt and recover their data, according to Palotay.

“NotPetya spiked fast and furiously before taking a nose dive, but did ultimately hurt businesses. This is because NotPetya permanently destroyed data on the computers it hit. Luckily, NotPetya stopped almost as fast as it started,” said Palotay. “We suspect the cybercriminals were experimenting or their goal was not ransomware, but something more destructive like a data wiper. Regardless of intention, Sophos strongly advises against paying for ransomware and recommends best practices instead, including backing up data and installing Sophos Intercept X, which can detect zero-day ransomware within seconds.”

Cerber, sold as a ransomware kit on the Dark Web, remains a dangerous threat. The creators of Cerber make money by charging the criminals who use it a percentage of each ransom they’re paid. The malware is continually refined and updated in an attempt to stay one step ahead of security software. Regular new features make Cerber not only an effective attack tool, but perennially available to cybercriminals.

Android ransomware on the rise

Android ransomware is also attracting cybercriminals. According to SophosLabs analysis, the number of attacks on Sophos customers using Android devices increased almost every month in 2017.

“In September alone, 30.37% of malicious Android malware processed by SophosLabs was ransomware.” said Rowland Yu, a SophosLabs security researcher focusing on mobile malware. “One reason we believe ransomware on Android is taking off is because it’s an easy way for cybercriminals to make money instead of stealing contacts and SMS, popping ups ads or even bank phishing which requires sophisticated hacking techniques. It’s important to note that Android ransomware is mainly discovered in non-Google Play markets – another reason for users to be very cautious about where and what kinds of apps they download.”

SophosLabs analysis systems will have processed an estimated 10 million suspicious Android apps by the end of 2017, up from the 8.5 million processed through all of 2016. The vast majority — 77% — turned out to be malware, while 23% were PUAs.

The number of malicious apps has risen steadily in the last four years. In 2013, just over a half million were malicious. By 2015 it had risen to just under 2.5 million. For 2017, the number is up to nearly 3.5 million.

Meanwhile, we’ve seen a drop in PUAs. The numbers had risen steadily between 2013 and 2016, but 2017 saw a drop from 1.4 million down to below 1 million.

Looking at the top Android malware families since the beginning of 2017, Rootnik was most active – 42% of all such malware stopped by SophosLabs. PornClk was second most active at 14%, while Axent, SLocker and Dloadr followed behind at 9%, 8% and 6%, respectively.

Many apps on Google Play were found to be laced with Rootnik, and that family was also seen exploiting the DirtyCow Linux vulnerability in late September.

Ransomware Defensive Measurers

To better protect yourself from this sort of thing:

  • Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can be lost, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
  • Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
  • Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.
  • Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Microsoft Fixes 11 Critical, 39 Important Vulns
Kelly Sheridan, Staff Editor, Dark Reading,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1061
PUBLISHED: 2018-06-19
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
CVE-2018-1073
PUBLISHED: 2018-06-19
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
CVE-2018-12557
PUBLISHED: 2018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could ...
CVE-2018-12559
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can consequently mount a CIFS filesystem anywhere (e.g., outside of the /home directory tree) by passing directory traversal sequ...
CVE-2018-12560
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. Arbitrary unmounts can be performed by regular users via directory traversal sequences such as a home/../sys/kernel substring.