SophosLabs Says No Platform is Immune to Ransomware

Time to increase security

Sophos recently published their SophosLabs 2018 Malware Forecast, a report that recaps ransomware and other
cybersecurity trends based on data collected from Sophos customer computers worldwide during April 1
to Oct. 3, 2017. If you don’t know who Sophos are, let me help you shed some light on them. Sophos or Sophos Group plc is an English software and hardware company and one of the world’s leaders in network and endpoint security.

In the SophosLabs 2018 Malware Forecast, one the major concerns found is that while ransomware predominately attacked Windows systems in the last six months, Android, Linux and MacOS platforms were not immune. Which means that they can be attacked anytime.

Dorka Palotay, SophosLabs security researcher and contributor to the ransomware analysis in the SophosLabs 2018 Malware Forecast explained that ransomware has become platform-agnostic. She also added that,

Ransomware mostly targets Windows computers, but this year, SophosLabs saw an increased amount of crypto-attacks on different devices and operating systems used by our customers worldwide.

The report also tracks ransomware growth patterns, indicating that the infamous WannaCry, unleashed in May 2017, was the number one ransomware intercepted from customer computers, dethroning longtime ransomware leader Cerber, which first appeared in early 2016. WannaCry accounted for 45.3 percent of all ransomware tracked through SophosLabs with Cerber accounting for 44.2 percent.

The creators of Cerber continuously update the code and they charge a percentage of the ransom that the “middle-men” attackers receive from victims. Regular new features make Cerber not only an effective attack tool, but perennially available to cyber criminals. Which effectively makes Cerber the most dangerous ransomware out there.

Palotay said that it’s the first they’ve encountered a ransomware with worm-like characteristics in WannaCry, which is why it became so widespread so quickly and easily. This ransomware exploited a known Windows vulnerability to infect and spread to computers, making it hard to control. She also said that despite their customers being protected from it, they can still see the threat because of its inherent nature to keep scanning and attacking computers.

Palotay expects that other cyber criminals will be sure to build upon this ability to replicate or create ransomware similar to WannaCry or NotPetya. NotPetya is another ransomware similar to WannaCry that wreaked havoc in June 2017 and has been included in the SophosLabs 2018 Malware Forecast.

NotPetya was initially distributed through a Ukranian accounting software package but was able to spread via the EternalBlue exploit, just like WannaCry. However NotPetya hit right after WannaCry so a majority of machines were already patched and defended against such an attack therefore it was stopped as soon as it had begun. It did manage to affect businesses however during its short spike, permanently destroying data on the computers it hit. Palotay remarked,

We suspect the cyber criminals were experimenting or their goal was not ransomware, but something more destructive like a data wiper. Regardless of intention, Sophos strongly advises against paying for ransomware and recommends best practices instead, including backing up data and keeping patches up to date.

Android ransomware is also attracting cyber criminals. According to SophosLabs analysis, the number of attacks on Sophos customers using Android devices increased almost every month in 2017. Rowland Yu, a SophosLabs security researcher and contributor to the SophosLabs 2018 Malware Forecast said that 30.4% of Sophos customers using Android devices were affected by some form of ransomware in September alone. He expects this number to rise in the coming months.

One reason we believe ransomware on Android is taking off is because it’s an easy way for cyber criminals to make money instead of stealing contacts and SMS, popping ups ads or bank phishing which requires sophisticated hacking techniques. It’s important to note that Android ransomware is mainly discovered in non-Google Play markets – another reason for users to be very cautious about where and what kinds of apps they download.

The SophosLabs 2018 Malware Forecast further indicates two types of Android attack methods emerged: locking the
phone without encrypting data, and locking the phone while encrypting the data. Most ransomware on Android doesn’t encrypt user data, but the sheer act of locking a screen in exchange for money is enough to cause people grief, especially considering how many times in a single day information is accessed on a personal device.

Yu advised that users should start backing up phones on a regular schedule, similar to a computer, to preserve data and avoid paying ransom just to regain access. This is because he and Sophos expects ransomware for Android to continue to increase and dominate as the leading type of malware on this mobile platform in the coming year.

For more information and for access to the full report and infographic, please click here.

Pokdepinion: Cyber attacks are getting more and more rampant and now that Android is getting attacked too, it’s best to take every precautionary steps possible to protect yourself against these cyber attacks.