While ransomware has long been one of the main cyber threats to businesses, the past number of months have seen organizations more exposed than ever. Symantec’s latest research paper on ransomware has found that businesses were the main victims of the WannaCry and Petya outbreaks, with corporate networks the ideal breeding ground for this new generation of self-propagating threats.

Our research found that overall ransomware infection numbers have continued to trend upwards. During the first six months of 2017, Symantec blocked just over 319,000 ransomware infections. If this infection rate continued for the full year, 2017 would be a significant increase over 2016, when a total of 470,000 infections were blocked. Contributing to this increase was a spike in blocked infections during May and June 2017, the months when the WannaCry and Petya outbreaks occurred.

Figure 1. Ransomware infections by month, January 2016 to June 2017

WannaCry and Petya: New threats emerge

 

This year saw the arrival of a new generation of self-propagating ransomware. WannaCry, which was the first to appear, caused global panic due to its ability to spread itself across the networks of infected organizations and then spread to other organizations across the internet. Petya mimicked some of the techniques employed by WannaCry to spread itself across networks.

What enabled WannaCry to spread so quickly was that its developers had incorporated the leaked “EternalBlue” exploit into its code. An exploit of a vulnerability in the Windows implementation of the Server Message Block (SMB) protocol (CVE-2017-0144), it had been patched two months earlier, but there were still enough unpatched computers online for WannaCry to spread quickly. EternalBlue allowed WannaCry to act like a worm, spreading itself to other unpatched computers on the local network and across the internet by scanning random IP addresses in an attempt to find other vulnerable computers.

Six weeks later, a new variant of Petya adopted similar tactics, using EternalBlue as a propagation mechanism, but also incorporating other SMB network spreading techniques, which meant it could spread within organizations to computers that had been patched against EternalBlue. Another difference from WannaCry was that Petya was far more targeted, configured to mainly affect organizations in Ukraine, although other organizations in other countries were also affected.

 
Organizations in the crosshairs

 

The impact of WannaCry and Petya makes it quite likely that more attackers will attempt to replicate the tactics used by deploying ransomware as a worm. The propagation mechanisms employed by both ransomware families enabled the threats to spread quickly across an entire computer network. Many consumer computers are not connected to a network, unlike those found in organizations.

While WannaCry and Petya also did have the ability to spread across the internet to other vulnerable computers, this means of transmission again largely affected other organizations. Most home internet routers would have blocked infection attempts involving the EternalBlue exploit.

WannaCry and Petya’s disproportionate impact on organizations can be seen in infection statistics. During 2015 and 2016, businesses accounted for between 29 and 30 percent of ransomware infections. That figure shot up to 42 percent in the first half of 2017, with a major spike in business infections during May and June, the months WannaCry and Petya spread


Figure 2. Consumer vs enterprise ransomware infections by month

Organizations need to prepare themselves for the threat posed by self-propagating ransomware. The Petya outbreak demonstrated that even without EternalBlue, attackers can create worm-like ransomware that is capable of spreading across a network. While it does require more skill and the use of additional tools, such as credential stealers, the potential rewards are much greater.

 
Ransom demands stabilize

 

During the first six months of 2017, the average ransom demand seen in new ransomware families was US$544. This follows on from a period of rapid inflation in ransom demands. During 2016, the average ransom demand seen in new ransomware families increased dramatically, rising more than threefold from $294 to $1,077

Figure 3. Average ransom amount in U.S. dollars, by year

This could suggest that after a period of trial-and-error in 2016, many attackers have settled on a ransom demand of around $500 as the “sweet spot” for ransom demands. While this may not sound like a major loss for an organization, most ransom demands are for a single infected computer. If an organization finds itself with tens or hundreds of infected computers, the price demanded by attackers will quickly add up.

 
Now is the time to bolster defenses

 

 

WannaCry and Petya proved that ransomware is not a predictable threat and organizations who are complacent may be caught out. Building a multi-layered defense ensures that any point of failure is mitigated by other defensive practices.

This should include not only regularly patching vulnerabilities and ensuring critical systems are backed up, but also employing multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method.

 
Tips for businesses and consumers

 

  • New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers, such as EternalBlue.
  • Email is one of the main infection methods. Delete any suspicious-looking email you receive, especially if they contain links and/or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
  • Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up.

 
Protection

Adopting a multi-layered approach to security minimizes the chance of infection. Symantec has a comprehensive strategy that protects against ransomware in three stages.

  1. Prevent:Email security, Intrusion Prevention, Download Insight, Browser Protection, Proactive Exploit Protection (PEP).
  2. Contain: Advanced signature-based antivirus engine with machine learning heuristic technologies, including SONAR and Sapient.
  3. Respond: Dedicated Incident Response team to help organizations respond and recover from a ransomware attack.

 

Find out more

 

For an in-depth look at the threat posed by ransomware and to learn more about Symantec’s ransomware protection strategy please see our whitepaper: Ransomware 2017: An ISTR special report


RECOMMENDED ARTICLE FOR TECHWORLD


 
Transcend Brings 3D NAND to mSATA SSD MSA230S for Consumers
Techworld Date Posted: 31 August 2018 2:07 PM | 75 Views
Transcend Information Inc., a leading manufacturer of storage and multimedia products, is introducing the mSATA SSD MSA230S to its comprehensive portfolio of high-quality, reliable solid-state storage solutions.. See More
 
Transcend Brings 3D NAND to mSATA SSD MSA230S for Consumers
Techworld Date Posted: 2:07 PM | 75 Views
Transcend Information Inc., a leading manufacturer of storage and multimedia products, is introducing the mSATA SSD MSA230S to its comprehensive portfolio of high-quality, reliable solid-state storage solutions.See More

 
Kaspersky Lab Reveals PH Threat Landscape, Advocates Public-Private Collaboration in its First CyberSecurity Summit with the DICT
Techworld Date Posted: 7 August 2017 11:27 AM | 212 Views
The Department of Information and Communications Technology (DICT) Secretary Rodolfo Salalima (second from left) shakes hand with Kaspersky Lab Asia Pacific Managing Director Stephan Neumeier (third from left) during the media briefing for their.... See More
 
Kaspersky Lab Reveals PH Threat Landscape, Advocates Public-Private Collaboration in its First CyberSecurity Summit with the DICT
Techworld Date Posted: 11:27 AM | 212 Views
The Department of Information and Communications Technology (DICT) Secretary Rodolfo Salalima (second from left) shakes hand with Kaspersky Lab Asia Pacific Managing Director Stephan Neumeier (third from left) during the media briefing for their...See More

 
Notes on Intel®’s Tick-Tock Model
Techworld Date Posted: 30 March 2017 10:59 AM | 256 Views
Though Intel has scrapped the previous “Tick-Tock” CPU production model, it is still good to note how well it has gone through the years.. See More
 
Notes on Intel®’s Tick-Tock Model
Techworld Date Posted: 10:59 AM | 256 Views
Though Intel has scrapped the previous “Tick-Tock” CPU production model, it is still good to note how well it has gone through the years.See More

 
Transcend Gives Back to Over 300 Kids with Metro World Child for the Sidewalk Sunday School Project
Techworld Date Posted: 6 October 2018 9:16 AM | 419 Views
In many cities and villages, there are children who have no control over where they were born or what extreme circumstances they were brought into; they have no way of seeing themselves out of.... See More
 
Transcend Gives Back to Over 300 Kids with Metro World Child for the Sidewalk Sunday School Project
Techworld Date Posted: 9:16 AM | 419 Views
In many cities and villages, there are children who have no control over where they were born or what extreme circumstances they were brought into; they have no way of seeing themselves out of...See More

 
Enjoy Up to 30 Percent Discount on Booking.com Accommodations with PLDT and Smart
Techworld Date Posted: 15 September 2018 2:13 PM | 122 Views
In line with their thrust to give customers epic and incredible experiences, leading telco and digital services provider PLDT, Inc. and its mobile services arm Smart Communications, Inc. have teamed up with Booking.com to.... See More
 
Enjoy Up to 30 Percent Discount on Booking.com Accommodations with PLDT and Smart
Techworld Date Posted: 2:13 PM | 122 Views
In line with their thrust to give customers epic and incredible experiences, leading telco and digital services provider PLDT, Inc. and its mobile services arm Smart Communications, Inc. have teamed up with Booking.com to...See More

 
PLDT Home, the Country’s No.1 Home Broadband, Launches its First Prepaid Broadband Service
Techworld Date Posted: 10 August 2018 2:52 PM | 246 Views
  With the company’s vision of bringing world-class Internet to Filipino families, PLDT has launched its first ever PLDT Home Prepaid WiFi, an affordable service that makes it easier than ever for more families.... See More
 
PLDT Home, the Country’s No.1 Home Broadband, Launches its First Prepaid Broadband Service
Techworld Date Posted: 2:52 PM | 246 Views
  With the company’s vision of bringing world-class Internet to Filipino families, PLDT has launched its first ever PLDT Home Prepaid WiFi, an affordable service that makes it easier than ever for more families...See More

 
Lenovo Addresses Shifting Workspace Needs
Techworld Date Posted: 23 March 2018 1:11 PM | 261 Views
Lenovo (HKSE: 992) (ADR: LNVGY), the world’s leading PC manufacturer, launched its 8th-generation Lenovo ThinkPads and ThinkStations–specifically designed to provide enhanced agility and performance to support the ever-evolving workspace spurred by millennial workers.. See More
 
Lenovo Addresses Shifting Workspace Needs
Techworld Date Posted: 1:11 PM | 261 Views
Lenovo (HKSE: 992) (ADR: LNVGY), the world’s leading PC manufacturer, launched its 8th-generation Lenovo ThinkPads and ThinkStations–specifically designed to provide enhanced agility and performance to support the ever-evolving workspace spurred by millennial workers.See More

 
Phantom 4 Advanced vs Phantom 4 Pro: 4 Differences You Need to Know
Techworld Date Posted: 24 August 2017 9:41 AM | 185 Views
DJI's most recent release, the Phantom 4 Advanced, is a slightly altered version of the Phantom 4 Pro unit which came out late last year. Its titanium and magnesium alloy makes the aircraft more durable.... See More
 
Phantom 4 Advanced vs Phantom 4 Pro: 4 Differences You Need to Know
Techworld Date Posted: 9:41 AM | 185 Views
DJI's most recent release, the Phantom 4 Advanced, is a slightly altered version of the Phantom 4 Pro unit which came out late last year. Its titanium and magnesium alloy makes the aircraft more durable...See More

 
Lenovo Officially Kicks off Highly-Anticipated Legion of Champions Series II Grand Finale
Techworld Date Posted: 27 January 2018 1:20 PM | 282 Views
Lenovo (HKSE: 992) (ADR: LNVGY), the world’s leading PC manufacturer, has officially kicked off the “Legion of Champions Series II” Grand Finale (LoC; former League of Champions).. See More
 
Lenovo Officially Kicks off Highly-Anticipated Legion of Champions Series II Grand Finale
Techworld Date Posted: 1:20 PM | 282 Views
Lenovo (HKSE: 992) (ADR: LNVGY), the world’s leading PC manufacturer, has officially kicked off the “Legion of Champions Series II” Grand Finale (LoC; former League of Champions).See More

 
KINGMAX’S New iKey – Tiny USB Fingerprint Reader 1 Fingerprint to Keep Them All
Techworld Date Posted: 14 October 2017 2:22 PM | 197 Views
Do you have a whole book’s worth of passwords? How do you remember so many? Worry not, KINGMAX “iKey-Tiny USB Fingerprint Reader” is here. . See More
 
KINGMAX’S New iKey – Tiny USB Fingerprint Reader 1 Fingerprint to Keep Them All
Techworld Date Posted: 2:22 PM | 197 Views
Do you have a whole book’s worth of passwords? How do you remember so many? Worry not, KINGMAX “iKey-Tiny USB Fingerprint Reader” is here. See More


Power by

Download Free AZ | Free Wordpress Themes