While ransomware predominately attacked Windows systems in the last six months, Android, Linux and MacOS platforms were not immune.
This is among the findings of the SophosLabs 2018 Malware Forecast that recaps ransomware and other cybersecurity trends based on data collected from Sophos customer computers worldwide, from 1 April to 3 October this year.
“Ransomware has become platform-agnostic. It mostly targets Windows computers but, this year, SophosLabs saw an increased amount of crypto-attacks on different devices and operating systems used by Sophos customers worldwide,” says Brett Myroff, MD of Sophos distributor Netxactics.
The report also tracks ransomware growth patterns, indicating that WannaCry, unleashed in May 2017, was the number one ransomware intercepted from customer computers, dethroning long-time ransomware leader Cerber, which first appeared in early 2016. WannaCry accounted for 45.3 percent of all ransomware tracked through SophosLabs with Cerber accounting for 44,2%.
For the first time, ransomware with worm-like characteristics was noted, which contributed to the rapid expansion of WannaCry. This ransomware took advantage of a known Windows vulnerability to infect and spread to computers and making it hard to control. “Even though Sophos customers are protected against it, and WannaCry has tapered off, the threat is still seen because of its inherent nature to keep scanning and attacking computers,” says Myroff. Cyber criminals may build on this ability.
The SophosLabs 2018 Malware Forecast reports on the acute rise and fall of NotPetya, ransomware that wreaked havoc in June 2017. NotPetya was initially distributed through a Ukranian accounting software package, limiting its geographic impact. It could spread via the EternalBlue exploit, just like WannaCry, but because WannaCry had already infected most exposed machines there were few left unpatched and vulnerable.
The motive behind NotPetya is still unclear because there were many missteps, cracks and faults with this attack. For instance, the email account that victims needed to contact attackers didn’t work and victims could not decrypt and recover their data.
NotPetya spiked fast and furiously, and did hurt businesses because it permanently destroyed data on the computers it hit. Luckily, NotPetya stopped almost as fast as it started. Sophos suspects the cyber criminals were experimenting, or their goal was not ransomware but something more destructive like a data wiper. Regardless of intention, Sophos strongly advises against paying for ransomware and recommends best practices instead, including backing up data and keeping patches up to date.
Cerber, sold as a ransomware kit on the Dark Web, remains a dangerous threat. The creators of Cerber continuously update the code and they charge a percentage of the ransom that the “middle-men” attackers receive from victims. Regular new features make Cerber not only an effective attack tool, but perennially available to cyber criminals. “This Dark Web business model is unfortunately working and likely funding the ongoing development of Cerber, with profits motivating the authors to maintain the code,” Myroff says.
Android ransomware is also attracting cyber criminals. According to SophosLabs analysis, the number of attacks on Sophos customers using Android devices increased almost every month in 2017.
In September alone, 30,4% of malicious Android malware processed by SophosLabs was ransomware. Sophos is expecting this to jump to approximately 45 percent in October. One reason, the company believes, ransomware on Android is taking off is because it’s an easy way for cyber criminals to make money instead of stealing contacts and SMS, using pop-up ads or bank phishing, which requires sophisticated hacking techniques.
It’s important to note that Android ransomware is mainly discovered in non-Google Play markets – another reason for users to be very cautious about where and what kinds of apps they download.
The SophosLabs report also indicates two types of Android attack methods emerged: locking the phone without encrypting data, and locking the phone while encrypting the data. Most ransomware on Android doesn’t encrypt user data, but the sheer act of locking a screen in exchange for money is enough to cause people grief, especially considering how many times in a single day information is accessed on a personal device.
“Sophos recommends backing up phones on a regular schedule, like you would a computer, to preserve data and avoid paying ransom just to regain access,” says Myroff. “Sophos expects ransomware for Android to continue to increase and dominate as the leading type of malware on this mobile platform in the coming year.”