Ransomware, Breach, Channel partners, Content, Security Program Controls/Technologies, Endpoint/Device Security, Network Security

Sophos Says: No Device, Operating System Safe from Ransomware


You can’t run and you can’t hide from ransomware, no matter platform, device or operating system. That’s the word from security provider Sophos in its 2018 Malware Forecast, which recaps data gleaned from customers running the vendor’s software in the six-month period from April to October of this year.

Here are some of the report’s top line tracking data:

  • Ransomware is no longer platform agnostic. Attacks on Windows exceeded those on other platforms but Android, Linux and MacOS platforms were not immune.
  • WannaCry accounted for some 45 percent of all ransomware, slightly topping longtime leader Cerber, which first appeared early last year, at 44 percent. The tracking data comes from ransomware intercepted from Sophos’ customers’ computers.
  • The Cerber ransomware, which is funded by kit sales on the Dark Web, remains an effective attack tool readily available to cyber crooks. Its code is regularly updated and its creators charge a percentage of the ransom that the middle-men attackers receive from victims.
  • The motive behind NotPetya is still uncertain. Was it a wiper or ransomware attack? As a case in point, the email account that victims needed to contact attackers didn’t work and victims could not decrypt and recover their data.
  • Cyber criminals are looking more at Android ransomware. The number of attacks on Sophos customers using Android devices increased almost every month in 2017. In September alone, ransomware was about 30 percent of malicious Android malware Sophos counted, a figure expected to rise by 50 percent in October. Some ransomware attacks locked the phone without encrypting data or alternatively locked phones and encrypted data. Most Android ransomware is found in non-Google Play markets.

Here’s what Dorka Palotay, SophosLabs security researcher, has to say about the findings:

On WannaCry:
“Even though our customers are protected against it and WannaCry has tapered off, we still see the threat because of its inherent nature to keep scanning and attacking computers.”

On Cerber:
“This Dark Web business model is unfortunately working and similar to a legitimate company is likely funding the ongoing development of Cerber. We can assume the profits are motivating the authors to maintain the code.”

On NotPetya:
“We suspect the cyber criminals were experimenting or their goal was not ransomware, but something more destructive like a data wiper.”

What does Sophos say about combating ransomware? (Is anybody out there listening to advice from security pros?)

  • Back up regularly and keep a recent backup copy off-site.
  • Don’t enable macros in document attachments received via email.
  • Be cautious about unsolicited attachments.
  • Patch early, patch often.

An optimistic word (via a Sophos Q&A) on the Dark Web from principal research scientist Chester Wisniewski:

"After years of doing criminal business in the open on the Dark Web, the bad guys have gotten careless with their operational security. Increasingly, we see mistakes leading to the uncloaking of some of the most infamous handles online. There have been many arrests and takedowns this year, like Hansa Market and Alpha Bay, and I expect that will continue into 2018. The police have figured out how to work in these dark corners and are making a mockery of the poor security employed by the crooks."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.