As a new year begins, let us take the opportunity to reflect back on the significant ransomware events that happened in 2017, as well as what we can learn from them.
Ransomware as a Service
After an eventful 2016, where we saw an increase of over 300% more ransomware families than ever before, that number stalled and decreased to over 16 established families in 2017. This is an indicator that criminals prefer professionally made ransomware over custom made ransomware (or testing their own ransomware).
Also, the increased offer on the “Ransomware as a Service” (RaaS) business model appears to have an impact in the ransomware economy. By splitting the profits with the developers of the ransomware, the RaaS approach allows criminals to start their own ransomware operation on a budget and without the need to develop their own malware or deal with infrastructure requirements.
Email Is Still the King In the Distribution
Email is still the most commonly used method to distribute ransomware (and malware in general). Over 64% of all malicious spam distributions, or malspam, is due to ransomware distribution. Another method used for distribution is Exploit Kits.
The Most Distributed Ransomware Award Goes To...
Malware families that employ the RaaS business model are in great shape since they are distributed by multiple threat actors, and because of that, we saw some new players arise in the ransomware charts. However, most of these are all professionally made and it is for this reason that they are becoming more prominent.
The most distributed ransomware families were:
Destructive Malware That Can Be Disguised as Ransomware
In 2017, we saw three high-profile ransomware outbreaks that were believed to not be financially motivated, but were still rather disruptive. Their main intention was to cause harm on infected systems, which they did.
Introduced the wormable ransomware concept, just like a virus. It has the capability to spread itself. It uses EternalBlue vulnerability to spread to internet exposed systems and systems on internal networks. Little more than USD $100k was received in its bitcoin wallets.
Used a compromised provider of accounting software in Ukraine as distribution vector, and when users updated their accounting software they got a little extra. Most multinational companies with offices in Ukraine were compromised, transforming this attack into a global problem.
Also distributed in Ukraine and Russia to major organizations via compromised media websites. Shared code with NotPetya, indicates same group behind both attacks.
WannaCry and NotPetya used single bitcoin wallets, that make impossible for the authors to figure out which victims paid the ransom. This is a strong indicator that they don’t care about recovering the files. BadRabbit employed unique bitcoin wallets per victim.
With WannaCry, we saw a new distributing method coming into play. Though already expected by some malware researchers, the self-replicating wormable ransomware appeared with WannaCry.
By exploiting the Eternalblue vulnerability on Windows systems, the ransomware didn’t need any other form of distribution, it distributed itself via both the Internet and internal networks. NotPetya also used this method to replicate in internal networks.
The NoMoreRansom Initiative Results
Not all hope is lost. The NoMoreRansom Initiative has great promise to share in the fight against ransomware. This initiative will help counter the following numbers after one year of activity:
- 2.581.026 infected victims with ransomware in the last year
- 32% paid the ransom
- 20% never got their files back
The No More Ransom Project has 54 decryption tools available that cover over 104 ransomware families. These tools have prevent an estimate of 8M Euros to be received by criminals in ransoms, by decrypting over 28.000 devices infected with ransomware.
The Anubis Labs team is tasked with the ongoing effort to discovery new threats, track and collect intelligence about malware and botnets and figure out the best approach to let our customers have a good insight on their threat landscape.