SophosLabs looked at the most prolific ransomware variants. And, we offer you the tools to better defend against them.
Ransomware has been with us for a while now and is even considered old news by many security practitioners. But, it remains a vexing problem for many companies. SophosLabs recently looked at the most prolific ransomware families and attack vectors over a six-month period.
We break down the statistics and, most importantly, provide you with the resources to help mount a more effective defense.
The statistics below cover the six-month period between October 2016 and April 2017. It doesn’t include mid-May’s WannaCry outbreak, which came later.
The data was collected using lookups from customer computers. Beginning with specific ransomware families, the labs found that Cerber and Locky were by far the most active. Cerber accounted for half of all activity during the period, and Locky made up a quarter of it.
Cerber has undergone many mutations designed to circumvent sandboxes and antivirus. One version spread via spam emails disguised as a courier delivery service. Locky, meanwhile, has a history of renaming the important files of its victims so that they have the extension .locky. Like Cerber, its tactics and make-up have morphed over time.
The countries seeing the most ransomware activity are Great Britain, Belgium, the Netherlands and the US, and the biggest spike of activity came in early- to mid-March. Activity dropped for a short time but spiked again around April 5.
Reviewing malware delivery methods and evolution for the past year (April 2016-April 2017), the labs discovered, among other things, that the malware came from different attack angles – email spam, web malvertisements and drive-by downloads. The most prevalent attack vector for ransomware was email attachments, particularly PDFs and Office documents.
The majority of malicious spam attacks using non-EXE attachments are related to ransomware infections one way or another. We saw a big drop in malicious spam starting in December 2016.
The exact percentages are captured here (for a closer view, click on various parts of the graphic and use the magnifying glass function).
To better protect yourself from this sort of thing: