Ransomware Roundup: July 2017

Share with your network!

Wombat_RansomwareRoundup_2017.jpg

We bring you the latest in ransomware statistics and attacks from the wild.

Recent Ransomware Statistics and News:

  • The crippling GoldenEye strain of the Petya virus that focused heavily on Ukraine and spread across the globe is currently rumored to be a smokescreen for something much worse. The ransomware-like attack, which is being referred to as NotPetya in some circles, utilized the same extortion tactics as the WannaCry attack earlier this year, demanding $300 in ransom, a nominal fee for such a large-scale attack. With this particular strain, however, victims can’t get their files back even if a ransom is paid. Any encrypted files are lost forever. To-date the incident has affected thousands of machines worldwide. It has shut down factories, ports, and offices in an estimated 60 countries located in central, eastern, and southern Europe. According to CNBC, NATO believes a ‘state actor’ was behind the attack and may be initiating a military response. At the time of this post, police in Ukraine had just seized the servers of the company at the center of the attack, MeDoc.
  • “EternalRocks” — another ransomware worm that takes advantage of the same EternalBlue and DoublePulsar exploits that the infamous WannaCry attack capitalized on — was identified by a security researcher in May. However, it goes beyond WannaCry to utilize five more of the NSA-identified exploits that were leaked by the Shadow Brokers group. It has other significant differences from WannaCry: there is no kill switch; it has a 24-hour delayed activation; and (as far as the latest reports) sits dormant on infected hosts, with no malicious payload. A Bleeping Computer report indicated that the developer of EternalRocks had apparently “shut down his operation, following the intense media coverage his malware has received.” But as Cylance analysis of the ransomware noted, “At any time, the author could swap the benign payload for something more malicious.”
  • Our new 2017 User Risk Report, which highlights the results from our survey of more than 2,000 working adults in the US and the UK, revealed the stark differences in the personal security behaviors of employees and their knowledge of phishing and ransomware. Survey results showed that 30% of all respondents still don’t know what phishing is, and fewer than half of respondents (37% in the US and 42% in the UK) were able to accurately identify what ransomware is. We highlight more results and provide access to the full report download on our blog.
  • Kaspersky Lab’s Malware Report for Q1, 2017 shows that mobile ransomware is exploding, with a 3.5x increase in Q1 2017 alone. It further revealed that the US was targeted the most by mobile ransomware, and the number of new Windows ransomware modifications represented “a near two-fold increase on Q4, 2016.”
  • Results of a recent survey by Barracuda indicate that 76% of ransomware attacks originate with email, which is steadily holding its place as the “No. 1 threat vector for businesses.” Hatem Naguib, senior vice president and general manager of Barracuda’s security business “noted that criminals are taking the time to personalize [phishing and spear phishing emails], crafting them to be compelling and convincing.” The survey also revealed that more than half of those questioned were targeted by cyberattacks.
  • Verizon’s 2017 Data Breach Investigations Report (DBIR) singled out the healthcare industry as being the most impacted by ransomware. Other highlights include:
    • Ransomware dominated 71% of malware-related data breaches investigated by Verizon in 2016.
    • Ransomware attacks are up 50% compared to last year.
    • Ransomware is evolving.

You can read a summary of the report on our blog.

  • NTT Security released their Global Threat Intelligence Report back in April, and identified four industries that received the brunt of ransomware attacks globally — 77% to be exact. The industries identified were business/professional services, government, healthcare, and retail. You can download the full report on the NTT website.

Visit our Ransomware Resource Center for free, end-user-focused security awareness materials

 

 

Recent Ransomware Attacks:

  • A web hosting firm in South Korea, Nayana, was the victim of the Erebus strain of ransomware, which targets Windows machines and included a variation that made Linux-based systems vulnerable. The firm paid a record sum of $1M to recover their files after negotiations resulted in attackers coming down from their initial $4.4M ransom to $500K, though they reportedly then doubled the demand to $1M at the last minute.

  • Although Mac systems are less susceptible to cyberattacks, they aren’t immune. A new strain of ransomware dubbed “MacRansom” is a malware-as-a-service (MaaS) strain that is designed to to targeting Mac users. Security company Fortinet discovered the strain, and though they said it is “far inferior” to ransomware currently targeting Windows systems, they also noted that is “does work as advertised.”

  • Cambridge University’s website was targeted by a ransomware attack, but successfully thwarted any penetration by temporarily shutting down its systems. It is unknown if these events were related to WannaCry, which emerged the day before.

  • Considered one of the largest cyberattacks in history, WannaCry devastated the globe on May 12, and spread to over 150 countries within one day. WannaCry used two NSA-leaked tools to target Windows computers, affecting hospitals, banks, universities, traffic cameras in Australia, and many other organizations worldwide. WannaCry is unable to be decrypted, and so, victims were only able to recover files via backup or by paying the Bitcoin equivalent to $300 in ransom. Although a patch was issued within a day, and a kill switch was discovered, remnants of the ransomware’s effects are still being felt today, with new cases periodically emerging.

  • Netflix original series Orange is the New Black had its fifth season leaked after a hacking collective by the name of The Dark Overlord (TDO) managed to access its production company, Larson Studios’ systems. Though Netflix stated in May that it refused to pay follow-up coverage reveals the studio paid a ransom of more than $50,000 in Bitcoin, but the files were still leaked. TDO has also identified their next targets, which include Fox, National Geographic, and ABC.

  • IT staff at the Dutch parliament’s lower house, the Tweede Kamer, reportedly stopped a ransomware attack before it caused too much damage, relying on backups to restore the files that were encrypted. Parliament member Kees Verhoeven tweeted that though the attack was “very annoying,” he hoped the situation would raise awareness.