Ransomware attacks are growing around the world. Kaspersky Lab’s researchers have discovered an emerging and alarming trend that more and more cybercriminals are turning their attention from attacks against private users to targeted ransomware attacks against businesses.
Kaspersky Lab Story of the Year 2017 reveals that More Than One Quarter of Ransomware Attacks Target Businesses. In 2017, 26.2 per cent those targeted by ransomware were business users, as compared to 22.6 per cent in 2016.
According to them, this trend is due to three unprecedented attacks (WannaCry, ExPetr, and BadRabbit) targeting corporate networks that changed forever the landscape for this increasingly virulent threat.
The groups of cybercriminals involved in encryption ransomware development and distribution like PetrWrap authors, the infamous Mamba group, and six unnamed groups are targeting corporate users.
According to Kaspersky Lab’s researchers, the reason for the trend is clear – criminals consider targeted ransomware attacks against businesses potentially more profitable than mass attacks against private users. A successful ransomware attack against a company can easily stop its business processes for hours or even days, making owners of affected companies more likely to pay the ransom.
Anton Ivanov, Senior Security Researcher, Anti-Ransom, Kaspersky Lab said “We should all be aware that the threat of targeted ransomware attacks on businesses is rising, bringing tangible financial losses. The trend is alarming as ransomware actors start their crusade for new and more profitable victims. There are many more potential ransomware targets in the wild, with attacks resulting in even more disastrous consequences.
In order to protect organizations from such attacks, Kaspersky Lab security experts advise the following:
- Conduct proper and timely backup of your data so it can be used to restore original files after a data loss event.
- Use a security solution with behavior based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.
- Audit installed software, not only on endpoints, but also on all nodes and servers in the network and keep it updated.
- Conduct a security assessment of the control network to identify and remove any security loopholes. Review external vendor and 3rd party security policies in case they have direct access to the control network.
- Request external intelligence: intelligence from reputable vendors helps organizations to predict future attacks on the company.
- Train your employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.
Other ransomware trends in 2017
- Overall, just under 950,000 unique users were attacked in 2017, compared to around 1.5 million in 2016 – with the difference between them largely a reflection of detection methodology
- The three major attacks, as well as other, less notorious families including AES-NI and Uiwix, used sophisticated exploits leaked online in spring 2017 by a group known as the Shadow Brokers.
- There was a decline in new families of ransomware, with a corresponding increase in modifications to existing ransomware (over 96,000 new modifications detected in 2017, compared to 54,000 in 2016). The rise in modifications may reflect attempts by attackers to obfuscate their ransomware as security solutions get better at detecting them.
- From the second quarter of 2017, a number of groups ended their ransomware activities and published the keys needed to decrypt files. These included AES-NI, xdata, Petya/Mischa/GoldenEye and Crysis. Crysis later reappeared – possibly raised from the dead by a different group.
- The growing trend for infecting companies through remote desktop systems continued in 2017, when this approach became one of the main propagation methods for several widespread families, such as Crysis, Purgen/GlobeImposter and Cryakl.
- Approximately 65 percent of businesses that were hit by ransomware in 2017 said they lost access to a significant amount or even all of their data; one in six of those who paid up never recovered their data. These numbers are largely consistent with 2016.
The year 2017 will be remembered as a time when the ransomware threat suddenly evolved with advanced threat actors targeting businesses worldwide, using a series of destructive worm-powered attacks whose ultimate goal remains a mystery.
Fedor Sinitsyn, senior malware analyst, Kaspersky Lab said “The headline attacks of 2017 are an extreme example of the growing criminal interest in corporate targets. We spotted this trend in 2016; it has accelerated throughout 2017 and shows no signs of slowing down.”