NotPetya tops the list of “nastiest” ransomware attacks in the past year, according to threat researchers at security firm Webroot.
NotPetya was the most destructive ransomware of 2017, followed closely by WannaCry and Locky, according to data collected from the Webroot BrightCloud threat intelligence platform, including all devices running Windows operating systems that were infected with ransomware in the past year.
The researchers said NotPetya was ranked highest because it was engineered to do damage to a country’s infrastructure.
The NotPetya malware used EternalBlue, the same exploit WannaCry used a month earlier. But unlike most ransomware, NotPetya’s main purpose was to cause disruption.
WannaCry takes second place because it took the world by storm when it infected hundreds of thousands of users across the globe.
NotPetya, which started as a fake Ukrainian tax software update, infected hundreds of thousands of computers in more than 100 countries in just a few days. This ransomware is a variant of an older attack dubbed Petya, except the later attack uses the same exploit behind WannaCry.
Locky, which was 2016’s most popular ransomware, continued to be active in 2017, taking third place in Webroot’s ranking. New variants of Locky, called Diablo and Lukitus, surfaced in 2017, using the same the phishing email attack to lure victims.
Fourth is CrySis, a remote desktop protocol (RDP) compromise that also started in 2016 in Australia and New Zealand. RDP is one of the most common ways to deploy ransomware because cyber criminals can compromise administrators and machines that control entire organisations, the researchers said.
Read more about ransomware
- How does the Locky ransomware file type affect enterprise protection?
- How does Locky ransomware get distributed by the Necurs botnet?
- Focus: How to avoid being hit by ransomware.
- Large UK firms are prepared to pay out more than £136,000 on average to cyber criminals who launch ransomware attacks.
According to 451 Research, ransomware is a top pain point for businesses due its infectious nature and ability to spread quickly through systems.
“Ransomware does not have a bias and often times small to medium-sized enterprises [SMEs] are the most vulnerable due to their lack of resources,” said Aaron Sherrill, senior analyst at 451 Research.
“SMEs need to be proactive by consulting an MSP [managed service provider] or MSSP [managed security service provider] on how to deploy a solution that will protect their business from these malicious threats,” he said.
Nemucod, at number five, typically arrives in the form of a phishing email that looks like a shipping invoice. Nemucod downloads malware and encryption components stored on compromised websites. Nemucod would have been the most malicious phishing email if Locky had not reignited in August, the researchers said.
Completing the top 10 list are Jaff, Spora, Cerber, Cryptomix and Jigsaw.
Webroot researchers said there are several ways MSPs and SMEs can protect devices against ransomware:
- Deploy a top-rated security system that provides protection from multiple attack vectors, without affecting user experience by slowing devices during scans.
- Keep security software up to date. Firmware and patches are how suppliers push out important security updates. Keep both devices and operating systems up to date and create a process for patch management.
- Backup and store sensitive data. Generally, ransomware only has the means to encrypt files stored locally on a user’s system. Backup data to a hard, offline location. In the case of equipment failure or ransomware, you can access your backup and get back to business as usual.
- Implement a strong password naming convention. A strong password policy limits the likelihood of remote desktop protocol (RDP) breaches.
David Dufour, vice-president of engineering and cyber security at Webroot, said the top 10 list is further evidence that cyber criminals will continue to exploit the same vulnerabilities in increasingly malicious ways.
“Although headlines have helped educate users on the devastating effects of ransomware, businesses and consumers need to follow basic cyber security standards to protect themselves,” he said.
David Kennerley, director of threat research at Webroot, said Bad Rabbit’s emergence over the past week shows that this type of attack is going to be a staple in the hackers’ arsenal.
“While Bad Rabbit was contained to Eastern Europe and shut down relatively quickly, I expect that similar strains demonstrating these worm-like capabilities will continue to emerge,” he said.