Ransomware Dominated the Second Quarter of 2017
Misleading tech-support scams, pontifically unwanted programs, advertising-supported software, banking Trojans, and malvertising attacks were as prevalent in Q2 of 2017 as ever, but no threat gained as much attentions as ransomware, which, undoubtedly, dominated the virtual security world. New ransomware infections popped up every single day, which many of them being extremely aggressive and innovative. One of the most infamous infections to emerge this quarter was the WannaCry Ransomware that managed to slither into systems of governments, national organizations, car manufacturers, big companies, and, of course, regular Windows users. The infection was linked to three different Bitcoin Wallets, to which victims were ordered to pay ransoms. On the 2nd of August, over 140,000 USD were withdrawn from these Wallets, which clearly represents the magnitude of the infection. Unfortunately, it is just one of the many threats that were terrorizing Windows users. In this report, we introduce you to the most active and aggressive infections that dominated the second quarter of 2017.
The Infamous Cerber Continues to Terrorize
Discovered back in 2016, Cerber Ransomware is unlikely to stop its attacks any time soon. Using a VBScript, this particular ransomware can launch an audio message to warn the victim that their personal data has been encrypted. This devious infection surprised malware experts with its maturity, and to this date, no one has managed to stop it. Since its initial launch, quite a few different versions of the Cerber Ransomware have been uncovered. Some of the newest variants have been found to spread along with Kovter Trojan. This particular infection can collect and leak information about the infected operating system. It is also known to perform click-fraud, which means that the infection silently opens websites and clicks on advertisements to make a profit by exploiting pay-per-click systems. Kovter is not the only malicious agent that has been linked to malware from the Cerber family. Boaxxee is another infection, and it is as well-known information stealer that can record and leak private, sensitive data. Nymaim is a malware downloader that can silently install malicious infections. Cerber Ransomware is spread using misleading spam emails that contain a camouflaged installer. It is believed that this malware will continue being the biggest threat throughout 2017.
Troldesh Ransomware and Locky Ransomware Follow
Troldesh, also known as Shade Ransomware, is another infection that has survived since 2016, and it takes the second place as the most common ransomware to infect Windows operating systems. This threat represents ransomware demands in Russian and English, which allows it to target a bigger region overall. The Kelihos spam botnet has been found to spread this malicious infection across the web. In this case, when the victim opens a corrupted spam email, they are introduced to a zipped .JS (JavaScript) file or a Microsoft Word document. In the first case, the opened .JS file downloads the ransomware right away, while the Word document file uses macros first. Kaspersky Lab, McAfee, and several other teams have created tools that are capable of decrypting files for free. Locky Ransomware emerged at the same time as the Shade Ransomware, but this one was using the Necurs spam botnet for distribution. This infection might be one of the most unstable and unpredictable because its attacks come in waves. The threat appeared to be dead until the end of April when it reemerged again.
WannaCry Ransomware Deemed the Most Aggressive Threat
It is unlikely that anyone has managed to overlook the infamous WannaCry Ransomware because it was covered by everyone everywhere. The threat is also known by names WanaCry, WanaDecryptor, WanaCrypt0r, WanaDecrypt0r, and many others has performed one of the most aggressive attacks recorded in the past decade. Within just one day since its initial launch, this devious ransomware had managed to infect over 230,000 computers in over 150 countries. The creator of the ransomware employed a well-known Windows EternalBlue vulnerability (CVE-2017-0144) that had been patched several months before the attacks. If Windows operators were more cautious and took security measures to patch the vulnerability, they could have prevented the loss of personal files. Using this inadvertence, cyber criminals managed to attack systems using a worm functionality, which is a unique trait in the world where most ransomware infections are still spread using corrupted spam email attacks. Undoubtedly, the infection would have spread further if not for a malware researcher who found a kill-switch and disabled the threat. Surprisingly, the same malware researcher is now detained for crimes linking to the development and distribution of another threat, the Kronos Trojan. Since the emergence of WannaCry Ransomware, various lookalikes have been created to terrorize Windows and Android users, both on PC and mobile devices.
Petya/NotPetya Ransomware Are Likely to Prevail Too
While Petya Ransomware was initially spread in 2016, it was very active in the second quarter of 2017 as well. This malware used the EternalBlue exploit, and the infection has been found to exploit M.E.Doc Servers for distribution just recently, which is why our research team concludes that this malware will continue to infect operating systems and, potentially, grow further. Unlike most infections – at least, the ones discussed in this report – Petya Ransomware can overwrite boot files that are required for Windows loading. By overwriting the MBR, this malware creates more problems for the victims as they not only have to worry about the encryption of their files but also the repairing of their operating systems. Just like WannaCry, the devious Petya Ransomware is most likely to infect the operating systems that belong to large companies and organizations. One of the most shocking examples of the power this infection has is that it managed to affect the system that monitors radiation at Chernobyl. Clearly, if ransomware can threaten national security, it must be taken seriously.
Q3 2017 Predictions and Security Tips
It is believed that the infections from the Cerber Ransomware family will continue dominating the third quarter of 2017. Other threats to keep an eye on include Jaff Ransomware, Locky Ransomware, and, of course, Petya Ransomware. Unfortunately, we are also likely to face more exploits because the statistics show that over a million Windows operating systems with outward-facing SMB ports are still unpatched. Spam botnets will continue to be used for the proliferation of ransomware, and malvertising campaigns could be employed on a larger scale as well. Besides ransomware, Windows users have to be cautious about file-less malware attacks, tech-support scams, banking Trojans, and adware that are often utilized for the collection of email addresses and other personal information. With new kinds of malware growing, protecting the operating system is getting more and more tricky, but security experts are not backing down, and virtual security has never been taken more seriously than now. While relying on security updates and anti-malware software is a good strategy, users have to take things into their own hands as well. Paying attention to and investigating suspicious, unfamiliar files, links, and installers can save many users from letting in malware. It is also more important than ever to take care of file backups (external and online backups are recommended) because they can keep personal files safe even if ransomware manages to corrupt original copies.