Sophos 2018 Malware Forecast: ransomware hits hard, continues to evolve

SophosLabs looked at the most prolific ransomware variants. And, we offer you the tools to better defend against them.

Sophos releases its 2018 Malware Forecast today, and the big takeaway is this: ransomware remains a huge problem for companies and isn’t going away. In 2017, attackers further perfected their ransomware delivery techniques, leading to global outbreaks such as WannaCry, NotPetya and, most recently, Bad Rabbit.

Though most ransomware is hitting Windows users, it’s clear that people aren’t immune if they use other platforms, including mobile devices. A prime example is the amount of ransomware contaminating Android apps, whether they’re in Google Play or other online sources.

Ransomware from 1 April – 3 October 2017

Ransomware remains a vexing problem for many companies. SophosLabs looked at the most prolific ransomware families and attack vectors over a six-month period with an eye toward helping those organizations cope.

The statistics below cover the six-month period between 1 April and 3 October 2017. The data was collected using lookups from customer computers.

WannaCry, unleashed in May 2017, was the number-one ransomware intercepted from customer computers, dethroning longtime ransomware leader Cerber, which first appeared in early 2016. WannaCry accounted for 45.3% of all ransomware tracked through SophosLabs, with Cerber accounting for 44.2%.

“For the first time, we saw ransomware with worm-like characteristics, which contributed to the rapid expansion of WannaCry. This ransomware took advantage of an old Windows vulnerability to infect and spread to computers, making it hard to control,” said SophosLabs researcher Dorka Palotay, who specializes in ransomware analysis. “Even though WannaCry has tapered off and Sophos has defenses for it, we still see the threat because of its inherent nature to keep scanning and attacking computers. We’re expecting cybercriminals to build upon WannaCry and NotPetya and their ability to replicate, and this is already evident with Bad Rabbit ransomware, which shows many similarities to NotPetya.”

The Sophos 2018 Malware Forecast reports on the acute rise and fall of NotPetya, ransomware that wreaked havoc in June 2017. NotPetya was initially distributed through a Ukranian accounting software package, limiting its geographic impact. It was able to spread via the EternalBlue exploit, just like WannaCry, but because WannaCry had already infected most exposed machines there were few left unpatched and vulnerable.

The motive behind NotPetya is still unclear because there were many missteps, cracks and faults with this attack. For instance, the email account that victims needed to contact attackers didn’t work and victims could not decrypt and recover their data, according to Palotay.

“NotPetya spiked fast and furiously before taking a nose dive, but did ultimately hurt businesses. This is because NotPetya permanently destroyed data on the computers it hit. Luckily, NotPetya stopped almost as fast as it started,” said Palotay. “We suspect the cybercriminals were experimenting or their goal was not ransomware, but something more destructive like a data wiper. Regardless of intention, Sophos strongly advises against paying for ransomware and recommends best practices instead, including backing up data and installing Sophos Intercept X, which can detect zero-day ransomware within seconds.”

Cerber, sold as a ransomware kit on the Dark Web, remains a dangerous threat. The creators of Cerber make money by charging the criminals who use it a percentage of each ransom they’re paid. The malware is continually refined and updated in an attempt to stay one step ahead of security software. Regular new features make Cerber not only an effective attack tool, but perennially available to cybercriminals.

The trends are captured in the following ransomware graphic, also released today (click to enlarge and use the magnifying glass to zero in on specific stats):

Android ransomware on the rise

Android ransomware is also attracting cybercriminals. According to SophosLabs analysis, the number of attacks on Sophos customers using Android devices increased almost every month in 2017.

“In September alone, 30.37% of malicious Android malware processed by SophosLabs was ransomware.” said Rowland Yu, a SophosLabs security researcher focusing on mobile malware. “One reason we believe ransomware on Android is taking off is because it’s an easy way for cybercriminals to make money instead of stealing contacts and SMS, popping ups ads or even bank phishing which requires sophisticated hacking techniques. It’s important to note that Android ransomware is mainly discovered in non-Google Play markets – another reason for users to be very cautious about where and what kinds of apps they download.”

SophosLabs analysis systems will have processed an estimated 10 million suspicious Android apps by the end of 2017, up from the 8.5 million processed through all of 2016. The vast majority — 77% — turned out to be malware, while 23% were PUAs.

The number of malicious apps has risen steadily in the last four years. In 2013, just over a half million were malicious. By 2015 it had risen to just under 2.5 million. For 2017, the number is up to nearly 3.5 million.

Meanwhile, we’ve seen a drop in PUAs. The numbers had risen steadily between 2013 and 2016, but 2017 saw a drop from 1.4 million down to below 1 million.

Looking at the top Android malware families since the beginning of 2017, Rootnik was most active – 42% of all such malware stopped by SophosLabs. PornClk was second most active at 14%, while Axent, SLocker and Dloadr followed behind at 9%, 8% and 6%, respectively.

Many apps on Google Play were found to be laced with Rootnik, and that family was also seen exploiting the DirtyCow Linux vulnerability in late September.

Ransomware defensive measures

To better protect yourself from this sort of thing:

Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can be lost, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.
Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.