Ransomware is always a threat, especially for businesses who rely on computers and the internet to function. Symantec recently released a research that found that businesses are the most at risk from ransomware threats.
While ransomware has long been one of the main cyber threats to businesses, the past number of months have seen organizations more exposed than ever. Symantec’s latest research paper on ransomware has found that businesses were the main victims of the WannaCry and Petya outbreaks, with corporate networks the ideal breeding ground for this new generation of self-propagating threats.
Our research found that overall ransomware infection numbers have continued to trend upwards. During the first six months of 2017, Symantec blocked just over 319,000 ransomware infections. If this infection rate continued for the full year, 2017 would be a significant increase over 2016, when a total of 470,000 infections were blocked. Contributing to this increase was a spike in blocked infections during May and June 2017, the months when the WannaCry and Petya outbreaks occurred.
WannaCry and Petya: New threats emerge
This year saw the arrival of a new generation of self-propagating ransomware. WannaCry, which was the first to appear, caused global panic due to its ability to spread itself across the networks of infected organizations and then spread to other organizations across the internet. Petya mimicked some of the techniques employed by WannaCry to spread itself across networks.
What enabled WannaCry to spread so quickly was that its developers had incorporated the leaked “EternalBlue” exploit into its code. An exploit of a vulnerability in the Windows implementation of the Server Message Block (SMB) protocol (CVE-2017-0144), it had been patched two months earlier, but there were still enough unpatched computers online for WannaCry to spread quickly. EternalBlue allowed WannaCry to act like a worm, spreading itself to other unpatched computers on the local network and across the internet by scanning random IP addresses in an attempt to find other vulnerable computers.
Six weeks later, a new variant of Petya adopted similar tactics, using EternalBlue as a propagation mechanism, but also incorporating other SMB network spreading techniques, which meant it could spread within organizations to computers that had been patched against EternalBlue. Another difference from WannaCry was that Petya was far more targeted, configured to mainly affect organizations in Ukraine, although other organizations in other countries were also affected.
Tips for businesses and consumers
- New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers, such as EternalBlue.
- Email is one of the main infection methods. Delete any suspicious-looking email you receive, especially if they contain links and/or attachments.
- Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
- Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up.
Adopting a multi-layered approach to security minimizes the chance of infection. Symantec has a comprehensive strategy that protects against ransomware in three stages.
Prevent: Email security, Intrusion Prevention, Download Insight, Browser Protection, Proactive Exploit Protection (PEP).
Contain: Advanced signature-based antivirus engine with machine learning heuristic technologies, including SONAR and Sapient.
Respond: Dedicated Incident Response team to help organizations respond and recover from a ransomware attack.