资源描述
August 2019CTNT REPORTCYBERCRIME TACTICS AND TECHNIQUES:Ransomware RetrospectiveCybercrime Tactics and Techniques: Ransomware Retrospective 2Executive summaryOh yes, we said ransomware. This once dangerous-but-recently-dormant threat has come back to life in a big way, switching from mass consumer campaigns to highly-targeted, artisanal attacks on businesses. Cybercriminals looking for a bigger bang for their buck have been busy exploiting weak infrastructure and poorly-constructed operational security to encrypt business-critical data for larger payouts, and organizations have been largely caught with their virtual pants down. As we examine ransomware inside-out, looking at the influence of older players on the market and the trajectory of todays most influential ransomware families, we will also look to the future of this threat, considering where ransomware will go nextand how it will get there. Be on the lookout for our quarterly predictions, ransomware-style. The statistics, graphs, and charts we created for this report were derived from our own telemetry obtained from users of our business and consumer products, reaching back as far as 2016, but largely focused on the last yearfrom Q2 2018 through Q2 2019. Weve made some modifications to normalize the data and allow for better trend identification, utilizing more percentage increases and decreases than previous reports, as these show with more accuracy the peaks and valleys observed within our detection telemetry. Samples used for the creation of said telemetry were obtained from internal malware-hunting sources, such as honeypots and collection systems, as well as manual collection by our researchers. In addition, weve combined the observations, experience, and theories of our intelligence and research departments with collected telemetry to paint a more accurate picture of the threat landscape, and derive meaningful analysis of campaign activity and detection trends.We hope you enjoy this special ransomware retrospective as much as we enjoyed creating it.Another quarter, another quarterly cybercrime reportour eleventh to date. However, unlike past CTNTs (as we affectionately call them in-house), this time we are zeroing in on a single threat and peeling back its layers to reveal how it has evolved over the last couple years, from attack methods cybercriminals use to the targets they choose to victimize. Well look at global consumer and business detections, the families within this threat doing the most damage, regional threat analysis, the most heavily-attacked countries, and even the top US states. So, sit back, relax, and grab some popcorn as we dig into this special ransomware edition. Over the last year, weve witnessed an almost constant increase in business detections of ransomware, rising a shocking 365 percent from Q2 2018 to Q2 2019. Meanwhile, consumer detections of ransomware have been on the decline, decreasing by 12 percent year over year and 25 percent quarter over quarter. The reason behind this shift: Cybercriminals are searching for higher returns on their investment, and they can reap serious benefits from ransoming organizations over individuals, who might yield, at best, a few personal files that could be used for extortion or identity theft. Encrypting sensitive proprietary data on any number of endpoints allows cybercriminals to put forth much larger ransom demands while gaining an exponentially higher chance of getting paid. Ransomware attacks featuring targeted campaigns against cities and municipalities, like those experienced in Baltimore, Florida, and Georgia, have increased in frequency, especially since the beginning of 2019. Ransomware families such as Ryuk and RobinHood are mostly to blame, though SamSam and Dharma also made appearances. Recovery from those attacks has been slow and painful, with critical infrastructure a problem. Healthcare and education, two industries also plagued with legacy infrastructure, were also targets. The ransomware families causing the most trouble for businesses this quarter were Ryuk and Phobos, which increased by an astonishing 88 percent and 940 percent over Q1 2019, respectively. GandCrab and Rapid business detections both increased year over year, with Rapid gaining on Q2 2018 by 319 percent. However, business detections of GandCrab slowed down by 5 percent in Q2 2019 over Q1. All of the top five ransomware families for consumers decreased in Q2 2019 from Q1. The family that saw the largest decrease quarter over quarter was Rapid, which fell by 57 percent in Q2, with a year over year decline of 30 percent. In fact, the only ransomware family that saw any kind of increase was Troldesh, which rose by 162 percent over the same time period in 2018, but still declined from Q1 by 55 percent. Looking at ransomware attacks by regionNorth America; Latin America; Europe, the Middle East, and Africa; and Asia Pacificnearly half of all ransomware detections in the last year occurred in North America. Europe, the Middle East, and Africa netted 35 percent of our ransomware detections, while Latin America yielded 10 percent and Asia Pacific 7 percent. Each of the regions were plagued with high percentages of GandCrab detections, but Ryuk gave GandCrab a run for its money in North America. As for leading ransomware countries, the United States took home the gold with 53 percent of all detections from June 2018 through June 2019. Canada came in a distant second with 10 percent, and the United Kingdom and Brazil followed closely behind, at 9 percent and 7 percent, respectively. The remaining 21 percent was shared between Italy, France, Russia, Germany, South Africa, and Spain. Once again, GandCrab and Ryuk made the most noise in the countries we studied; however, certain families made significant impressions, such as Troldesh on Russia. Texas, California, and New York were the top three states infected with ransomware, ganged up on with a combination of GandCrab, Ryuk, and Rapid, which made up more than half of the detections in these states. Interestingly, the states with the most ransomware detections were not always the most populous. North Carolina and Georgia rounded out our top five ransomware states, but they are not as heavily-populated as Florida or Pennsylvania, neither of which made our list. Key takeaways3Cybercrime Tactics and Techniques: Ransomware RetrospectiveToday, consumers arent pressured with the same relentless onslaught of ransomware attacks as they were in 2016. This is because cybercriminals have decided to pull back on targeting home computers to instead focus on endpoints plugged into larger networks of sensitive and proprietary data. To this end, from 2018 to 2019, we saw a 235 percent increase in threats aimed at organizations from enterprises to small businesses, with ransomware as a major contributor. Education, healthcare, and government are particularly at risk.To illustrate these changes in focus by the criminals behind todays ransomware campaigns, Figure 1 shows total percentage increases and decreases of ransomware focused against consumers and larger organizations or business detections.Starting from the first quarter of 2018, ransomware aimed at consumers started to decline, gaining significant downward momentum by the second half of the year. The initial decline was primarily due to the shift away from traditional malware in favor of pushing cryptominers, though this trend did not last long.Figure 2 graph on page 5 expresses the overwhelming difference between consumer and business detections of ransomware as far back as June 2018. As we approached Q2 2019, consumer detections were poised to dip below business detections of ransomware for the first time, an expression of lost interest from cybercriminals Ransomware shifts to businessesIn 2016, ransomware was primarily a consumer problem. With families like Cerber and Locky targeting users via drive-by exploits and the use of widespread phishing campaigns, cybercriminals held countless home systems for ransom. These threats did not single out targets; they simply blanketed the landscape with mass campaigns, and those who fell victim just happened to be in the wrong place at the wrong time.Figure 1. Decline in consumer ransomware vs. increase in business ransomwareConsumerBusiness2017Q455%2%2018Q1-13%22%2018 Q2-1%-66%2018Q322%23%2018Q4-16%393%2019Q1-34%152%2019Q2-16%263%4Cybercrime Tactics and Techniques: Ransomware Retrospectiveon individual targets. In the same vein, the rise of business detections starting around the beginning of 2019 showed the new focus of threat actors on organizations.Never before have we observed such a similar number of ransomware detections for businesses and consumers; this is a shining example of the new ransomware reality security researchers and system admins will need to deal with in the coming quarters.How to Become Cyber Resilient: A Digital Enterprise Guide 5While the previous graph charted the shift in criminal focus from consumer to business by overall detection numbers, Figure 3 compares consumer and business detections by percentage quarter over quarter, demonstrating that as far back as Q4 2017, threat actors were turning their attention to organizations. As percentage changes for consumer-focused threats remained relatively negative throughout 2018 and 2019, the increase in the percentage of business-focused ransomware shot Ransomware Detections Percentage Comparison by Quarter | Q4 2017 - Q2 2019OrganizationsConsumer-100%0%100%200%300%400%500%2017 Q4 2018 Q1 2018 Q2 2018 Q3 2018 Q4 2019 Q1 2019 Q2PERCENTAGE CHANGEQUARTERFigure 3. Consumer and business ransomware detections by percentageRansomware Target Focus 12 Month View | June 2018 - June 201901-Jun 1-Jul 1-Aug 1-Sep 1-Oct 1-Nov 1-Dec 1-Jan 1-Feb 1-Mar 1-Apr 1-May 1-JunOrganizationsConsumerConsumerAug. 18 | 5,702,894ConsumerDec. 18 | 2,589,297ConsumerApr. 19 | 2,016,394 ConsumerJun. 19 | 1,625,351OrganizationsJun-19 | 1,403,496OrganizationsDec. 18 | 193,590OrganizationsAug. 18 | 32,0386,000,0005,000,0004,000,0003,000,0002,000,0001,000,000OrganizationsApr. 19 | 830,531Figure 2. Ransomware target shift from June 2018 to June 2019Cybercrime Tactics and Techn ques: Ransomware RetrospectiveHow to Become Cyber Resilient: A Digital Enterprise Guide 6through the roof during the last quarter of 2018.There are several reasons why ransomware instigators have their eyes set on businesses. However, their main motivation boils down to one element: a higher return on investment. When ransoming a single consumer system, the ransom demand is usually low so that targets are more liable to pay up. The number of files encrypted is limited to the size of a typical hard drive, and the files themselves are considered less vital. And the impact to the user, while potentially personally traumatic, is not as devastating as, for example, identity theft, which can result in months of exhausting paperwork to restore credit, finances, and personal reputation.All these are reversed when cybercriminals focus on organizations, however. Encrypting business-critical files on any number of endpoints can supply huge benefits to cybercriminals, including much larger ransom demands and an exponentially higher chance of getting paid. This is because the loss of data doesnt only harm a single user, but an entire business. The fallout from ransomware can range from paying exuberant fines and losing out on high margins of productivity and profit to, for many small businesses, having to close their doors. Even worse, ransomware lodged against vital government infrastructure can bring cities to a standstill.Ramping up on easy targetsAs the value of attacking consumers dropped due to greater availability of anti-ransomware tools and an overall low rate of return, it was no surprise that many ransomware families seemed to fall out of existence at the end of 2017, with Bitcoin miners multiplying well into 2018 instead.During this time, however, we noted that there was an increase in the number of targeted cities, educational institutions, and healthcare organizations by ransomware, as cybercriminals wanted higher earnings than what they were seeing with miners alone. From December 2017 to present, ransomware threat actors lodged attacks against these organizations, likely because of legacy infrastructure, outdated hardware and software applications, and lack of security funding in these sectors. Unlike private organizations, who can drive their own profit margins and make unilateral decisions on funding, financial backing for local municipalities, education, and healthcare is often driven by government policy and political climate. As such, these industries must divert the majority of their limited funding to core issues, such as curriculum for education, community services for government, and research for healthcareespecially when budget cuts for these programs are on the rise. The last year has exposed how unprepared many of these organizations are for cyberattacks, especially considering that many of the cities at the butt end of ransomware attacks this year had already experienced cybersecurity incidents in years prior. Some of the most noteworthy ransomware attacks on cities, healthcare, and education over the last year-and-a-half are as follows: Cybercrime Tactics and Techn ques: Ransomware RetrospectiveAs we see more laws being pushed to increase the security and privacy around consumer data, its likely these sectors will be required to ensure their networks are secure to maintain city services, better protect childrens data in schools, and keep healthcare facilities up and running. We hope to see, in addition to many new bills proposed at the state and federal level, information security as a hot topic for political debate during the next election cycle. 201720182019DecemberJanuaryJanuaryFebruaryFebruaryMarchMarchAprilAprilMayMayJuneJuneJulyJulyAugustSeptemberOctoberNovemberDecemberMecklenburg Country. North Carolina Unknown ransomwareHancock Health, Greenfield, Indiana SamSam Davidson County, North Carolina SamSamAtlanta City Online Systems SamSamWasaga Beach, Ontario Canada DharmaWest Haven, Connecticut Unknown ransomwareOnslow Water and Sewer Authority, Jacksonville, North Carolina RyukBridgeport school district, Connecticut Unknown ransomwareJackson County, Georgia RyukAlbany, New York Unknown ransomwareAugusta, Maine Unknown ransomwareGreenville, North Carolina RobinhoodImperial County RyukBaltimore, Maryland RobinhoodRiviera Beach, Florida Unknown ransomwareLake City, Florida RyukMiddletown school district, Connecticut Unknown ransomwareGeorgia Administrative Office of the Courts Ryuk7Cybercrime Tactics and Techniques: Ransomware RetrospectiveRansomware familiesGandCrab has been the most active ransomware family observed over the last year. However, despite its immense spread, we
展开阅读全文