Kaspersky Security for Linux Mail Server Receives Highest Vbspam+

Kaspersky Security for Linux Mail Server Receives Highest Vbspam+

THE POWER OF PROTECTION KSN Report: Ransomware in 2016-2017 www.kaspersky.com Contents Executive summary and main findings ..................................2 Introduction: A brief look at ransomware evolution over a year .............................................................. 3 Part 1. PC ransomware: ransomware – conveyor of targets .................................................................. 4 Ransomware intra-species massacre .................................. 11 WannaCry pandemic .............................................................. 14 Part 2: Mobile ransomware Statistics.................................................................................. 19 Part 3. How it is all orchestrated ........................................... 24 Conclusions and predictions ................................................ 26 1 Executive summary and main findings Ransomware is a type of malware that, upon infecting a device, blocks access to it or to some or all of the information stored on it. In order to unlock either the device or the data, the user is required to pay a ransom, usually in bitcoins or another widely used e-currency. The term ransomware covers mainly two types of malware: so-called Windows blockers (they block the OS or browser with a pop-up window) and encryption ransomware. The term also includes select groups of Trojan-Downloaders, namely those that tend to download encryption ransomware upon infection of a PC. This report covers the evolution of the threat from April 2016 to March 2017 and compares it with the period of April 2015 to March 2016. Methodology: This report has been prepared using depersonalized data processed by Kaspersky Security Network (KSN). The metrics are based on the number of distinct users of Kaspersky Lab products with the KSN feature enabled, who encountered ransomware at least once in a given period, as well as research into the ransomware threat landscape by Kaspersky Lab experts. Main findings: • The total number of users who encountered ransomware between April 2016 and March 2017 rose by 11.4% compared to the previous 12 months (April 2015 to March 2016) – from 2,315,931 to 2,581,026 users around the world; • The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware fell by almost 0.8 percentage points, from 4.34% in 2015-2016 to 3.88% in 2016-2017; • Among those who encountered ransomware, the proportion who encountered cryptors rose by 13.6 percentage points, from 31% in 2015-2016 to 44.6% in 2016-2017; • The number of users attacked with cryptors rose almost twice, from 718,536 in 2015-2016 to 1,152,299 in 2016-2017; • The number of users attacked with mobile ransomware fell by 4.62% from 136,532 users in 2015-2016 to 130,232. 2 Introduction: A brief look at ransomware evolution over a year The rise of Ransomware-as-a-Service In May 2016 Kaspersky Lab discovered Petya ransomware that not only encrypts data stored on a computer, but also overwrites the hard disk drive's master boot record (MBR), leaving infected computers unable to boot into the operating system. The malware is a notable example of the Ransomware-as-a-Service model, when ransomware creators offer their malicious product ‘on demand’, spreading it by multiple distributors and getting a cut of the profits. In order to get their part of the profit, the Petya authors inserted certain “protection mechanisms” into their malware that do not allow the unauthorized use of Petya samples. While Ransomware-as-a-Service is not a new trend, this propagation model continues to develop, with more and more ransomware creators offering their malicious product. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own malware. Notable examples of ransomware that appeared in 2016 and used this model were Petya/Mischa and Shark ransomware, which was later rebranded under the name Atom. The growth of targeted attacks In early 2017, Kaspersky Lab’s researchers have discovered an emerging and dangerous trend: more and more cybercriminals are turning their attention from attacks against private users to targeted ransomware attacks against businesses. The attacks are primarily focused on financial organizations worldwide. Kaspersky Lab’s experts have encountered cases where payment demands amounted to over half a million dollars. The trend is alarming as ransomware actors start their crusade for new and more profitable victims. There are many more potential ransomware targets in the wild, with attacks resulting in even more disastrous consequences. The analysis in this report attempts to assess the scale of the problem, and to highlight possible reasons for the new angles of ransomware developments globally. 3 Part 1. PC ransomware: ransomware – conveyor of targets The numbers for the observed period show that ransomware is still on the rise – albeit at a slower growth rate. The total number of users who encountered ransomware over the12 month period from April 2016 to March 2017 grew by 11.4% in comparison to the previous year: April 2015 to March 2016 – from 2,315,931 to 2,581,026 users around the world. This is a weaker pace compared with 17.7% increase in the previous period. The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware fell by almost 0.5 percentage points, from 4.34% in 2015-2016 to 3.88% in 2016-2017. The following graphs illustrate the change in the number of users encountering ransomware at least once in the 24-month period covered by the report. As can be seen in Fig. 1, the volume of ransomware attacks has been rather sporadic, rising and falling with two peaks in October 2015 and March 2016. These periods were marked with Locky ransomware activities. 450000 400000 350000 300000 250000 200000 150000 100000 50000 0 CY 2015 July 2015 CY CY 2015 May 2015 CY CY 2015CY April CY 2015 June 2015 CY CY 2016 March 2016 CY CY 2015 August 2015 CY CY 2015 October 2015 CY CY 2016 January 2016 CY CY 2016 February 2016 CY CY 2015 November 2015 CY December 2015 CY CY 2015 September 2015 CY 2015 2016 Fig. 1: The number of users encountering ransomware at least once in the period from April 2015 to March 2016 The following year, the situation looks slightly different – yet still filled with anxiety. Between April 2016-March 2017 the volume of ransomware attacks remained stable, at 200,000-250,000 hits per month on average. This is higher than in the previous period and could indicate an alarming trend – a shift from chaotic and sporadic actors’ attempts to gain a foothold in the threat landscape to steadier and higher volumes. Also of interest was the peak between June and July. During these months there were many detections of the Onion ransomware family. 4 400000 350000 300000 250000 200000 150000 100000 50000 0 CY 2016 July 2016 CY CY 2016 May 2016 CY CY 2016CY April CY 2016 June 2016 CY CY 2017 March 2017 CY CY 2016 August 2016 CY CY 2016 October 2016 CY CY 2017 January 2017 CY CY 2017 February 2017 CY CY 2016 November 2016 CY December 2016 CY CY 2016 September 2016 CY 2016 2017 Fig. 2: The number of users encountering ransomware at least once in the period from April 2016 to March 2017 However, two things may be considered positive. Firstly, the modest growth rate could be a sign of success for the collaborative retaliation from vendors of security solutions, various law enforcement agencies, and other actors. It could also be due to increasing threat awareness, fueled by global media coverage on the most prominent fraudulent campaigns. Secondly, the end-of-the-year status also changed, from a rise in March 2016 to a fall of March 2017. 14000000 12000000 10000000 8000000 6000000 4000000 2000000 0 Fig. 3: Number of users attacked with any malware 2015-2017 5 As seen in Fig. 3, the behavior of ransomware does not reflect overall attack trends. While we witnessed peak of ransomware in autumn 2015 and a fall in autumn-winter 2016, malware statistics show the opposite fluctuations. To discover the possible reasons behind the peaks and troughs, we need to look deeper into the ransomware attack statistics. Main actors of crypto-ransomware Looking at the malware groups that were active in the period covered by this report, it appears that a rather diversified list of suspects is responsible for most of the trouble caused by crypto- ransomware. In the first period, from April 2015 to March 2016, the most actively propagated families were the following: Bitman, Cryakl, Cryptodef, Onion, Shade, and Mor. They were able to attack 223,782 users around the world, yet accounted for less than 31% of all users attacked with crypto-ransomware during the period. Lortok Scatter Locky 0,42% 0,32% 0,62% Aura 0,65% Mor 1,56% Other Shade 68,86% 2,86% Onion 4,43% Cryptodef 5,21% Cryakl 7,13% Bitman 7,94% Fig. 4: Distribution of users attacked with different groups of encryption ransomware in 2015-2016 A year later the situation had not changed considerably. Most widespread families, including Locky, CryptXXX, Zerber, Shade, Crusis, Cryrar, Snocry, Cryakl, Cryptodef, Onion and Spora, together hit about 33% of all users attacked with crypto-ransomware during the period. 6 Snocry Onion Spora 1,47% 1,31% 0,97% Cryptodef 1,49% Cryakl 1,61% Cryrar 1,87% Other 67,33% Crusis 1,96% Shade 2,20% Zerber 3,62% CryptXXX 7,04% Locky 9,13% Fig. 5: Distribution of users attacked with different groups of encryption ransomware in 2016-2017 Interestingly, the high share of “others” indicates that the list of crypto-ransomware actors becomes more and more diversified. This is due to crypto-ransomware downloaders that are not linked to specific families. This could be a sign of the development of criminal-to-criminal infrastructure that is fueling the emergence of easy-to-go, ad hoc tools to attack users and extort money.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    29 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us