Internet Security Threat Report ISTR Ransomware 2017 An ISTR Special Report Analyst: Dick O’Brien July 2017 Contents Executive summary and Key findings Ransomware: An overview A new breed of threat: WannaCry and Petya Businesses in the crosshairs Affecting the bottom line: Impact of ransomware How ransomware is spread Major ransomware threats Protection and best practices Internet Security Threat Report Contents 3 Executive summary and key findings 28 02 Contain 29 Advanced antivirus engine 5 Ransomware: An overview 29 SONAR behavior engine 8 A new breed of threat: WannaCry 29 Sapient – machine learning and Petya 29 Best practice 9 How WannaCry spread and how it was stopped 29 Ongoing development 9 What is EternalBlue? 29 03 Respond 10 Poor implantation, poor returns 29 Incident Response 10 Petya: Different threat, similar tactics 29 Best practices 10 Who was behind the WannaCry attacks? 30 Appendix: Symantec detections for 11 How Petya was spread common ransomware families 11 Ransomware or wiper? 34 About Symantec 12 Ransomware as a political tool 34 More Information 13 Businesses in the crosshairs 14 Worms are not the only threat 14 Targeted ransomware attacks Figures and Tables 15 Prevention is possible, a cure may not be 6 Ransomware infections by year 6 Ransomware infections by month 16 Affecting the bottom line: Impact of ransomware 6 Impact of WannaCry and Petya outbreaks on monthly infection rate 17 Ransom demands stabilize 6 Monthly ransomware infection numbers 17 Financial and reputational damage without WannaCry and Petya 18 How many people pay? 6 New ransomware families by year 7 Ransomware detections by region, 2016 19 How ransomware is spread 7 Ransomware detections by region, 2017 (to date) 20 Email: Main source of menace 7 New ransomware variants by year 21 Exploit kits 7 New ransomware variants by month 22 Other infection vectors 9 Number of EternalBlue exploit attempts blocked by Symantec per hour 23 Major ransomware threats 11 Petya infection numbers on June 27 2017, with 24 Cerber Ukraine the most heavily affected country Jaff 24 14 Consumer vs enterprise, blocked ransomware infections, 25 Sage 2015–2017 to date 25 GlobeImposter 14 Consumer vs enterprise ransomware infections, 2017 to date 26 Locky 17 Average ransom amount in US dollars, by year 26 Mamba 21 Email malware rate (one in) seen by Symantec, which dropped significantly after Necurs went offline in late December 2016 27 Protection and best practices 21 Web attacks blocked by Symantec per month 28 01 Prevent 28 Email security 28 Intrusion prevention 28 Proactive Exploit Protection 28 Download Insight 28 Browser Protection 28 Best practice Internet Security Threat Report Executive summary and key findings Section 00 00 Executive Summary and Key Findings Page 4 Ransomware 2017 Executive Summary Key findings The ransomware landscape shifted dramatically | The advent of worm-type ransomware is a new and highly this year with the appearance of two new self- disruptive avenue of attack. propagating threats in the form of WannaCry and | Businesses in particular are most at risk to worm-type Petya. Both outbreaks caused global panic, catching threats, which can spread in minutes across poorly secured networks. many organizations off-guard, with infections spreading rapidly across corporate networks. | During the first six months of 2017, organizations accounted for 42 percent of all ransomware infections, up from 30 Prior to these outbreaks, the main threat posed by ransomware percent in 2016 and 29 percent in 2015. This shift was was from widescale malicious spam campaigns, capable of mainly accounted for by WannaCry and Petya. sending ransomware to millions of email addresses on a daily | Overall ransomware infection numbers are continuing basis, in addition to a growing number of targeted attacks to trend upwards, powered by the WannaCry and Petya directed at organizations. outbreaks. The arrival of WannaCry and Petya illustrates how malicious | The average ransom demand seen in new ransomware threats can suddenly and unexpectedly evolve and catch families appears to have stabilized at US$544 indicating unprepared organizations by surprise. attackers may have found their sweet spot. The impact of these incidents will not go unnoticed on the cyber crime underground and it’s likely that other groups may | The U.S. is still the country most affected by ransomware, attempt similar tactics. Because of the nature of these attacks, followed by Japan, Italy, India, Germany, Netherlands, UK, organizations are particularly at risk (and were the main victims Australia, Russia, and Canada. of both WannaCry and Petya). Businesses need to educate | After a dramatic increase in 2016, when the number of new themselves about this new avenue of attack and ensure they ransomware families more than tripled, the number of new have defenses in place. families appearing slowed in the first six months to 16. At the same time, traditional mass-mailing ransomware attacks | The drop-off in 2017 may indicate that the “gold rush” remain an ongoing threat; and while some spamming operations mentality among cyber criminals is beginning to abate were disrupted this year, they nevertheless pose a significant somewhat, leaving the market to be dominated by risk. professional ransomware gangs. Targeted ransomware attacks, involving the compromise of an organization’s network and infection of multiple computers continue to pose a threat. Although less prevalent than mass mailed threats, the damage caused by a targeted attack is potentially much higher. Ransomware is now one of the key cyber threats facing organizations and can have a major impact on their bottom line, from financial losses, disruption, and reputational damage. Attacks where dozens or even hundreds of computers are infected can leave businesses with enormous cumulative ransom demands. However, ransom demands are not the only potential source of losses. Over the past year, a growing number of firms have gone on the record about the impact of ransomware on their businesses, with a range of major corporations citing ransomware attacks as materially affecting earnings. Back to Table of Contents Internet Security Threat Report Ransomware: An overview Section 01 01 Ransomware: An Overview Page 6 Ransomware 2017 After an increase of 36 percent between 2015 This spike in infections was in a large part due to the WannaCry and 2016, the rate of ransomware infections and Petya outbreaks, which accounted for 28 percent of infec- seen by Symantec has continued to increase. In tions in May and 21 percent of infections in June. the first six months of 2017, Symantec blocked just over 319,000 ransomware infections. If this Impact of WannaCry and Petya outbreaks on monthly infection rate infection rate continued for the full year, 2017 would be a significant increase over 2016, when All other ransomware infections WannaCry and Petya infections a total of 470,000 infections were blocked. 90,000 80,000 It is important to note that these detection figures represent 70,000 60,000 a small fraction of the total amount of ransomware being 50,000 blocked by Symantec, with the majority of attacks being 40,000 blocked earlier in the infection process. For example, virtually 30,000 all WannaCry infection attempts were blocked at exploit level 20,000 by Symantec’s Intrustion Prevention System (IPS), which 10,000 prevented the ransomware from reaching the computer. JAN F M A M J J A S O N D JAN F M A M J 2016 2017 Ransomware infections by year If WannaCry and Petya infection numbers were stripped out of monthly figures, the infection rate would still be moving 500 upwards between January 2016 and June 2017, albeit at a much more gradual rate. 400 470 300 361 319 Monthly ransomware infection numbers Thousand 200 without WannaCry and Petya 100 Ransomware infections without WannaCry and Petya 90,000 0 2015 2016 2017 80,000 (to date) 70,000 60,000 When broken down by months, the rate of infection has 50,000 trended upwards between January 2016 and June 2017, with a 40,000 30,000 notable increase in infections occurring in May and June 2017. 20,000 10,000 Ransomware infections by month JAN F M A M J J A S O N D JAN F M A M J 2016 2017 Ransomware infections 90,000 80,000 New ransomware families by year 70,000 60,000 Ransomware families 50,000 120 40,000 110 30,000 100 90 20,000 80 10,000 70 60 JAN F M A M J J A S O N D JAN F M A M J 50 2016 2017 40 30 20 10 2014 2015 2016 2017 (to date) Back to Table of Contents 01 Ransomware: An Overview Page 7 Ransomware 2017 After a dramatic increase in 2016, when the number of new Ransomware detections by region, 2017 (to date) ransomware families more than tripled, the number of new families appearing slowed in the first six months to 16. If this Other Countries 31% rate continues for the full year, it will be a decline on 2016, United States 29% Japan 9% but still higher than 2014 and 2015, when both years saw the Italy 8% emergence of 30 new ransomware families. India 4% Germany 4% 2017 The number of new threats emerging in 2016 suggested that Netherlands 3% a large number of attackers were attempting to jump on the United Kingdom 3% Australia 3% ransomware bandwagon by developing their own threats. The Russia 3% drop-off in 2017 may indicate that this “gold rush” mentality Canada 3% is beginning to abate somewhat. That doesn’t mean that the 50,000 100,000 150,000 200,000 250,000 300,000 350,000 Detections threat of ransomware has reduced in any significant way, rather that many of the more opportunistic efforts at exploit- After falling between 2015 and 2016, the number of ransom- ing it have run their course.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages35 Page
-
File Size-