New Study Highlights Global Ransomware Threat

Long gone are the good ol’ days when hackers targeted systems for bragging rights or mischief

Today, the world’s most prolific malicious hackers typically work for groups with more destructive goals in mind or for financial gain. While technology to improve security continues to be developed and deployed, malware attacks are constantly evolving, and the high financial stakes involved mean organizations can invest heavily into developing new attacks.

Understanding the nature of the ongoing malware threat is essential for preparing. Sophos recently released its 2018 Malware Forecast outlining the evolving nature of malware and helping companies prepare for it. In particular, the report showed that malware is still common. Furthermore, threats are moving beyond Windows targets, historically the most common target, and moving toward Android devices.

Ransomware Rampage

Between April and October, the nature of ransomware attacks changed. While Cerber was the dominate ransomware program since shortly after its release in early 2016, another ransomware kit, WannaCry, emerged in May of 2017. While Cerber still accounted for 44.2 percent of ransomware attacks during the six-month period, WannaCry edged it out, accounting for 45.3 percent of attacks. WannaCry was largely distributed via the EternalBlue, an exploit experts believe was initially developed by the United State’s NSA.

SophosLabs researcher Dorka Palotay believes the “worm-like characteristics” in new types of ransomware will make it gradually harder to control while becoming easier to copy.

We’re expecting cybercriminals to build upon WannaCry and NotPetya and their ability to replicate, and this is already evident with Bad Rabbit ransomware, which shows many similarities to NotPetya

The SophosLabs report also discussed another ransomware platform first discovered in June: NotPetya. Originally part of an accounting package in Ukraine, NotPetya had a limited geographical impact. Again, the EternalBlue exploit was used for its distribution. However, most unpatched and vulnerable machines had already been affected by WannaCry, further reducing NotPetya’s impact. The NotPetya attack was run poorly for several reasons, the most prominent being that the email address listed in the attack didn’t work, so those affected had no means to restore their data and the attackers could not be paid.

Cerber is expected to remain a viable ransomware tool. Its creators sell Cerber on the dark web, and they make money by collecting a percentage of the ransom its users generate. As a result, Cerber’s developers have the resources needed to add new features, making it a moving target for security professionals.

Android Attacks

The report from SophosLabs showed that Android exploits were on the rise, increasing nearly every month in 2017. In total, 30.37 percent of all infestations were ransomware attacks. Ransomware, according to Sophos experts, is popular partially because it’s easier to turn into revenue than other mainstays of mobile exploits.

The Google Play store has advanced tools for detecting and removing malware. Third-party markets, on the other hand, are far less safe and represent the most common source of malware infestations. SophosLabs processed approximately 10 million suspicious apps through 2017, an increase from the 8.5 millions apps inspected in 2016. Among those assessed, 77 percent turned out to be malware. This number shows the continued rise of Android malware. In 2013, slightly more than 500,000 apps were malicious, a number that rose to close to 2.5 million in 2015 and almost 3.5 million in 2017. Conversely, the number of potentially unwanted applications, which includes adware, non-malicious spyware, and hacking tools, fell from a peak of more than 1.4 million in 2016 to less than 1 million in 2017.


Among the most common Android exploit software, 42 percent of attack stopped by SophosLabs were based on the Rootnik. PornClk came in second with 14 percent of the stopped attacks, followed by Axent at nine percent, SLocker at eight percent, and Dloadr at six percent. Traces of Rootnik could be found on many Google Play apps.

Protecting Against Ransomware

Sophos outlined techniques for combating ransomware. Prompt patching is perhaps the most valuable first-line defense against ransomware attacks, as it provides fixes for potential exploits. A regular patching schedule can help, but companies will also want to keep an eye on security bulletins. As shown with the NotPetya attack, faulty ransomware attacks might not even provide an opportunity for payment, so regular backups, stored offsite, are critical for ensuring critical data can be restored. Regular backups are useful for non-malware incidents as well, as disasters, mistakes, and a wide range of other events can result in lost data.

Macros in Microsoft Office documents are a common source of malware infestations. Be extremely cautious with email attachments, and ensure family members and company employees are properly educated about potential attacks. Microsoft has, for years, turned the auto-execution of macros off by default. Although it can be convenient to turn it on, doing so puts computers at great risk. Third-party security software can also be helpful for detecting malware attacks.

For Android, the best advice is to stick to the Play Store for finding and installing apps; third-party stores simply lack the security and reputation of Google’s platform. Malware can still find its way to the Play Store, so be wary of apps before installing them. Sticking with popular apps from reputable companies reduces the odds of being attacking greatly.