Sophos releases its 2018 Malware Forecast today, and the big takeaway is this: ransomware remains a huge problem for companies and isn’t going away. In 2017, attackers further perfected their ransomware delivery techniques, leading to global outbreaks such as WannaCry, NotPetya and, most recently, Bad Rabbit. The UK was the second highest single country hit, behind the United States.

Though most ransomware is hitting Windows users, it’s clear that people aren’t immune if they use other platforms, including mobile devices. A prime example is the amount of ransomware contaminating Android apps, whether they’re in Google Play or other online sources.

Ransomware from 1 April – 3 October 2017

Ransomware remains a vexing problem for many companies. SophosLabs has looked at the most prolific ransomware families and attack vectors over a six-month period with an eye toward helping those organizations cope.

The statistics below cover the six-month period between 1 April and 3 October 2017. The data was collected using lookups from customer computers.

WannaCry, unleashed in May 2017, was the number-one ransomware intercepted from customer computers, dethroning longtime ransomware leader Cerber, which first appeared in early 2016. WannaCry accounted for 45.3% of all ransomware tracked through SophosLabs, with Cerber accounting for 44.2%.

“For the first time, we saw ransomware with worm-like characteristics, which contributed to the rapid expansion of WannaCry. This ransomware took advantage of an old Windows vulnerability to infect and spread to computers, making it hard to control,” said SophosLabs researcher Dorka Palotay, who specializes in ransomware analysis. “Even though WannaCry has tapered off and Sophos has defenses for it, we still see the threat because of its inherent nature to keep scanning and attacking computers. We’re expecting cybercriminals to build upon WannaCry and NotPetya and their ability to replicate, and this is already evident with Bad Rabbit ransomware, which shows many similarities to NotPetya.”

The Sophos 2018 Malware Forecast reports on the acute rise and fall of NotPetya, ransomware that wreaked havoc in June 2017. NotPetya was initially distributed through a Ukranian accounting software package, limiting its geographic impact. It was able to spread via the EternalBlue exploit, just like WannaCry, but because WannaCry had already infected most exposed machines there were few left unpatched and vulnerable.

The motive behind NotPetya is still unclear because there were many missteps, cracks and faults with this attack. For instance, the email account that victims needed to contact attackers didn’t work and victims could not decrypt and recover their data, according to Palotay.

“NotPetya spiked fast and furiously before taking a nose dive, but did ultimately hurt businesses. This is because NotPetya permanently destroyed data on the computers it hit. Luckily, NotPetya stopped almost as fast as it started,” said Palotay. “We suspect the cybercriminals were experimenting or their goal was not ransomware, but something more destructive like a data wiper. Regardless of intention, Sophos strongly advises against paying for ransomware and recommends best practices instead, including backing up data and installing Sophos Intercept X, which can detect zero-day ransomware within seconds.”

Cerber, sold as a ransomware kit on the Dark Web, remains a dangerous threat. The creators of Cerber make money by charging the criminals who use it a percentage of each ransom they’re paid. The malware is continually refined and updated in an attempt to stay one step ahead of security software. Regular new features make Cerber not only an effective attack tool, but perennially available to cybercriminals.

The trends are captured in the ransomware graphic above.

You can read more on Sophos’ findings via this link, or talk to one of our experts today on 01274 396 213.

Recommended Posts