Rocketing ransomware goes mobile
Ransomware attacks doubled in volume in late 2016, but perhaps compromising mobile devices has become the new trend...
More evidence, if it were needed, that ransomware is genuinely one of the greatest business cybersecurity challenges around today has come in the shape of a series of threat reports.
The reports from major AV companies all tell similar tales of explosive growth in ransomware volumes, variants and sophistication. CheckPoint’s global survey found that the percentage of ransomware attacks out of all recognized attacks globally almost doubled in the second half of 2016, from 5.5 per cent to 10.5 per cent of all malware attacks worldwide.
Cerber and Locky, the ransomware families at the top of the list, were first introduced in spring 2016. Over the last few months, new versions of those ransomware families were discovered, while Locky climbed the rankings from number 30 in the first half of 2016 to number five in the second half of the year. At the end of 2016, Locky ransomware made it to the top three malware strains.
Ilia Kolochenko, CEO of High-Tech Bridge, commented: “ransomware attacks are relatively new, however are growing much faster than any other sector cybercrime. The success is explained by their technical simplicity to conduct, and attackers' certainty to get paid by most of the victims, who often have no other choice that would be economically reasonable.”
High-Tech Bridge recently recommended the following steps to help you avoid paying out to ransomware:
- Maintain a comprehensive and up-to-date inventory of all your digital assets. You cannot defend what you don’t know.
- Make sure that you have implemented proper access control and segregation to prevent domino effect triggered by a single compromised device.
- Implement continuous monitoring of your physical and virtual IT infrastructure, software and security patches, as well as of new threats and malware targeting your industry.
- Create and regularly test a Disaster Recovery Plan (DRP) that will allow you to mitigate loss of any critical data in a reasonable timeframe, and at a cost compatible with your corporate risk appetite.
- Invest in security training and awareness programs to educate your employees, key suppliers and partners.
- Verify that your approach to cybersecurity and risk management is based on common sense principles, which your C-level fully understands, shares and practically supports.
A parallel report from Kaspersky Lab confirms the trend, with an overall increase of almost 6.5 times, now representing 4 per cent of all malware installation packages. Kaspersky Lab detected 261,214 mobile ransomware Trojans in 2016, and noted a rise in Android-specific ransomware. The company also uncovered considerable growth and evolution in banking trojans, detecting 128,886 installation packages which represents a 1.6 times increase over 2015.
The threat to Android devices comes as little surprise, given the wider migration of online traffic in general to mobile devices, but it does raise interesting questions about the future. Even assuming securing the corporate network against ransomware was possible, by attacking private and enterprise Android devices hackers have a strong attack vector.
A report from Eset spells out some of the dangers, particularly flagging the rising trend of Android ransomware delivered via malicious links in spam email, enhanced operation beyond simply encrypting files or locking the phone's screen, such as wiping the device, opening URLs in the phone's browser, GPS tracking, and the theft of personal files.
Apart from a single exception, none of the ransomware examples Eset investigated were found on the official Google Play store. However, there have been numerous cases of malware successfully bypassing Google’s ever-improving security measures. ESET’s researchers have found and reported to Google hundreds of samples of Android malware, including fake apps and fake AV scareware, credential-phishing spyware, trojans used for click-fraud, backdoors, ad-displaying PUAs (Potentially Unwanted Applications), and other PUAs, etc. Malware writers have also begun to use more sophisticated methods to spread their infected apps, such as encrypting malicious payloads and hiding them more deeply in the app folders.
Overall, the signs point to an increasing tide of mobile attacks in 2017. Kolochenko continued: “Propagation of IoT and smart devices into our everyday lives will definitely increase the risks, frequency and the consequences of the ransomware attacks. I wouldn't be surprised if in the next few years cybercriminals will lock operational rooms in hospitals or unlock doors in state prisons. Unfortunately, our law enforcement agencies don't have enough experience, technical skills and most importantly - resources to fight cybercrime. If they don't get them today - in the next few years our society will lose confidence in a justice system that is unable to prosecute and prevent cybercrime.”
Luckily, Android users have a variety of defensive steps once infected, depending on the sophistication of the malware. Booting into safe mode might be sufficient to throw off simpler infections, followed by using Google’s Android Device Manager to reset and or regain control of the device.
However, it’s a fair bet that the more simplistic variants will soon be upgraded to prevent these easy side-steps, if mobile ransomware follows the same trajectory as desktop versions. Stay tuned...