The malware we protect our customers from transcends operating systems. Ransomware in particular can attack almost any device. Four trends stood out in 2017 and will likely dominate again in 2018.
Ransomware continues to make organisations suffer, as evidenced by the persistence of Cerber and outbreaks of WannaCry and Petya. WannaCry bested Cerber as the most prolific ransomware family, remaining active since its initial outbreak in mid-May. But that doesn’t make Cerber any less of a threat. If we narrow the scope to which ransomware appeared the most, Cerber remains the most pervasive.
Ransomware as a service (RaaS), malware kits available to anyone, regardless of skill, is a growing problem and Cerber is an example of that. Looking at affected industries, hospitals and universities have been particularly hard hit.
Defence measures
While ransomware exists on many platforms, it has historically been most prevalent on Windows. Here are some resources we previously released for Windows, many of which can help protect Android and Mac OS as well:
- Create regular file backups
- To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad
- To protect against misleading filenames, tell Explorer to show file extensions
- Deploy next generation security from Sophos Intercept X
An explosion of Android malware on Google Play and elsewhere
Ransomware also remains a big problem for Android users. We review types of Android malware, including GhostClicker, an example of poorly behaved adware, and WireX, malware used in Distributed Denial of Service attacks (DDoS).
CSG’s next generation IT security, powered by SophosLabs, will have processed an estimated 10 million Android samples submitted by Sophos customers for analysis by the end of 2017. This is up from the 8.5 million processed through all of 2016.
Looking at the top Android malware families since the beginning of 2017, Rootnik was most active family with 42% of all malware seen by SophosLabs. PornClk was second most active at 14%, while Axent, SLocker and Dloadr followed behind at 9%, 8% and 6%, respectively.
Many apps on Google Play were found to be laced with Rootnik, and that family was also seen exploiting the DirtyCow Linux vulnerability in late September.
Threats on Google Play doubled
Between January and September 2017, our proactive teams found 32 different threats on Google Play. This is double the amount from the same period a year before.
The Judy malware, for example, infected upwards of 36.5 million users by September. Over 800 Android apps were infected with Xavir malware, while the WireX botnet might have infected 140,000 devices in 100 countries by its peak on Aug. 17 – perhaps the biggest DDoS botnet to date by Android standards.
One of the more sobering finds in Google Play was Lipizzan. Spyware that infected up to 100 devices and was designed to monitor phone activity while extracting data from popular apps.
SophosLabs reported its discoveries to Google each time and the company was diligent in removing the offenders from Google Play. Unfortunately, the bad guys remain prolific and hard to keep up with.
Windows threats
The Windows threat landscape hasn’t changed much in the past year. But we did observe a noteworthy trend in the realm of Office exploits.
For the first time in five years, CVE-2012-0158 was not the most commonly used Office exploit. CVE-2012-0158 was disclosed and patched by Microsoft (MS12-027) back in 2012, but has since proved popular amongst cybercriminals. Regularly topping the charts as the most-exploited document vulnerability. In one article in Naked Security, we called it the “bug that won’t die.” The specific flaw is in Windows common controls. The said function is found in several Microsoft applications. When the vulnerability is successfully exploited, a remote attacker could execute code on the vulnerable system.
Defensive measures
For these types of Windows threats, we have typically suggested the following:
- Stay up to date installing all Microsoft patches. If you receive file attachments or links by email and don’t know the person who sent it, don’t open it
- Use an anti-virus with an on-access scanner (also known as real-time protection)
- Consider stricter email gateway settings
- Always re-evaluate the necessity of external e-mail communication
- Never turn off security features because an email or document says so
Learn more about how to protect your network by reading our security solutions section.