WannaCry, NotPetya and the Rest: How Ransomware Evolved in 2017

ransomware-ts-100682319-primary.idge-1Ransomware. The word strikes fear into the hearts of hospital administrators, local government officers, and small business owners everywhere.

After exploding in 2016, ransomware has been covered extensively by media outlets and security experts, to the point where most organizations have started to take at least some action to mitigate their exposure.

But have these efforts had any impact? And have threat actors continued to rely on their most reliable profit-center?

Let’s take a look.

Rogues Gallery

The number of new ransomware families grew slightly during 2017, but it was nothing like the skyrocketing growth from the previous year. Ultimately, the list of top ransomware threats from 2017 contains plenty of familiar names:

Locky

Unlike in 2016, when it flooded user inboxes month after month, Locky was an inconsistent threat during 2017. It disappeared for months at a time, lulling onlookers into believing it was vanquished before returning to torment security professionals once again. While Locky’s base code only underwent some minor revisions during 2017, the tactics, techniques, and procedures (TTPs) surrounding its distribution changed constantly — email lures were updated, delivery mechanisms were varied, and the extension applied to encrypted files spanned a broad range of mythological deities, from Odin and Thor to Osiris, Diablo, and Aesir.

Globeimposter

First appearing in the second half of 2017, Globeimposter campaigns have launched several times per month ever since, often fueled by the Necurs botnet. The threat actors behind Globeimposter favor phishing lures disguised as urgent overdue invoices, and have preferred to use compromised websites for their payloads download URLs rather than registering their own.

Jaff

First appearing a day prior to the May 2017 WannaCry attack, Jaff was distributed by the Necurs botnet and utilized a malicious PDF hidden inside a Microsoft Word document. Jaff was active during May and June 2017, during in a lull in Locky distribution, and we suspect this is not a coincidence — more likely, there was a deliberate substitution of Jaff for Locky, enabling the threat actors responsible to test more substantial changes than had previously been attempted.

Cerber

A highly advanced ransomware family, Cerber has been updated constantly to evade detection and maximize profit. Unlike other ransomware families, which arrive in bursts before disappearing, Cerber has maintained a persistent, low-level presence for some time, and is expected to remain a threat during 2018.

WannaCry

Perhaps the most aptly named ransomware family from 2017, WannaCry wrought havoc for businesses all over the world. Starting in the early hours of May 12, WannaCry infected hundreds of thousands of machines across more than 150 countries. Unlike most ransomware families, which rely on phishing for distribution, WannaCry made use of an SMB vulnerability to infect exposed machines, and then spread by scanning for connected machines over TCP port 445. For a more thorough picture, you can read our blog post from May 17 last year.

Petya/NotPetya

Following on from WannaCry, and leveraging the same exploits, NotPetya appeared on June 28 2017 and quickly crippled networks all over the world. Once again the initial infection vector wasn’t phishing; it was an infected mandatory update for popular Ukrainian tax software MeDoc. Unlike most ransomware families, NotPetya didn’t offer victims the opportunity to pay a ransom in return for a decryption key — Instead, the virus encrypted the victim’s files, destroyed the decryption key, and overwrote the infected machine’s boot data, forcing targeted organizations to wipe and rebuild infected machines. Ultimately, the CIA concluded that NotPetya was a product of the Russian Military, designed to disrupt the Ukrainian financial system.

Headlines can be Misleading

Because of the high profile (to say the least) nature of the WannaCry and NotPetya attacks, it would be easy to assume that ransomware was every bit as ubiquitous in 2017 as it had been in 2016.

But that’s not quite true. Certainly ransomware remained a substantial threat throughout last year, disrupting the life and work of countless individuals, hospitals, local authorities, and even major corporations. But at the same time, increased uptake of countermeasures such as security awareness training enabled many organizations to avoid falling prey to ransomware attacks.

And here’s the thing. While WannaCry and NotPetya stole the headlines last year, they were far from representative of typical ransomware attacks. Why? Because they spread using exploits which enabled remote code execution, while the vast majority of ransomware families rely on phishing.

Had it not been for those two high profile attacks, it’s likely the narrative surrounding ransomware in 2017 would have been very different — In effect, that while it remained a serious threat, security-conscious organizations had started to fight back using (among other things) powerful security awareness training.

The Outlook for 2018

Time to be frank: Ransomware isn’t going away anytime soon.

In a sense, the ransomware landscape has reached its “mature” state — It’s unlikely to see any more explosive years like 2016, but at the same time it’s an established threat that organizations of all types must accept and prepare for. New ransomware families will likely pop up every now and then, just like they do for every other type of malware, and organizations will need to maintain good cyber hygiene in order to stay safe. You can do this by:

  • Training users to spot and report phishing lures
  • Maintaining a thorough vulnerability management program
  • Patching serious vulnerabilities promptly when they are announced
  • Making use of basic security controls, e.g., DMARC, spam filters, etc.
  • Have a recovery plan in case an infection does occur

At the same time, ransomware infections relying on remote code execution are unlikely to be anything like the threat they were last year. Exploits like those released by The Shadow Brokers (and leveraged by both WannaCry and NotPetya) are extremely rare, and given the circumstances surrounding their release and abuse it is highly unlikely that we’ll see global outbreaks of so-called “wormable” ransomware in 2018.

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Joseph Fleming. Read the original post at: https://info.phishlabs.com/blog/wannacry-notpetya-ransomware-evolved-in-2017