Ransomware has been with us for a while now and is even considered old news by many security practitioners. But, it remains a vexing problem for many companies. SophosLabs recently looked at the most prolific ransomware families and attack vectors over a six-month period.
We break down the statistics and, most importantly, provide you with the resources to help mount a more effective defense.
Statistics from SophosLabs
The statistics below cover the six-month period between October 2016 and April 2017. It doesn’t include mid-May’s WannaCry outbreak, which came later.
The data was collected using lookups from customer computers. Beginning with specific ransomware families, the labs found that Cerber and Locky were by far the most active. Cerber accounted for half of all activity during the period, and Locky made up a quarter of it.
Cerber has undergone many mutations designed to circumvent sandboxes and antivirus. One version spread via spam emails disguised as a courier delivery service. Locky, meanwhile, has a history of renaming the important files of its victims so that they have the extension .locky. Like Cerber, its tactics and make-up have morphed over time.
The countries seeing the most ransomware activity are Great Britain, Belgium, the Netherlands and the US, and the biggest spike of activity came in early- to mid-March. Activity dropped for a short time but spiked again around April 5.
Reviewing malware delivery methods and evolution for the past year (April 2016-April 2017), the labs discovered, among other things, that the malware came from different attack angles – email spam, web malvertisements and drive-by downloads. The most prevalent attack vector for ransomware was email attachments, particularly PDFs and Office documents.
The majority of malicious spam attacks using non-EXE attachments are related to ransomware infections one way or another. We saw a big drop in malicious spam starting in December 2016.
The exact percentages are captured here (for a closer view, click on various parts of the graphic and use the magnifying glass function).
What to do?
To better protect yourself from this sort of thing:
- Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
- Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
- Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
- Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.
- Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.
Other links we think you’ll find useful:
- To defend against ransomware in general, see our article How to stay protected against ransomware.
- To protect against misleading filenames, tell Explorer to show file extensions.
- To learn more about ransomware, listen to our Techknow podcast.
- To protect your friends and family against ransomware, try our free Sophos Home for Windows and Mac.
Techknow podcast — Dealing with Ransomware:
(Audio player above not working? Download, or listen on Soundcloud.)