회사소개

제품

안내

고객지원

Company

Product

Information

Support

Thông tin về công ty

Sản phẩm

Thông tin

Hỗ trợ chung

Notice

Title Date
4,540 Ransomware incidents in first-half... Triple last year

KISA's trend report…58% of malware is Ransomware

The Nayana incident, which paid $ 1.2 million, will increase hackers demanding money in second-half.

▲ The photo shows the Integrated Control Center of KISA on June 28 when PETYA Ransomware infection case was found. In the first half of this year, the number of Ransomware incidents reported to the Korea Internet & Security Agency (KISA) was 4, 540, which is more than triple that of last year. Ransomware is a malware that requires money for recovery after encrypting important files. According to the "Q2 Cyber ​​Threat Trend Report" published by KISA on the 19th, Ransomware demage reports increased 3.6 times from 990 in 1Q to 3,550 in 2Q. The number of reported demages in first-half is 4,540, which is 3.2 times higher than last year's 1,438 cases. In 2015, there were 770 cases. Because the impact of powerful Ransomware such as WannaCry and Petya was huge. 255 of 436 malwares collected in 2Q were Ransomware. Ransomware's share is 58.5%, up 14.5% from 1Q(44%). And it was the second most common type of malware, accounting for 30% (130), which was 17.3% more than the previous quarter. The information extortion type malware is mainly used to collect prior information for targeting attack such as APT (Advanced Persistent Threat). ▲ Source from KISA In 1Q, the advanced fake way via spear phishing (targeting type) emails and shortcut icons was used to distribute malware. In 2Q, large-scale distribution using Windows vulnerability (SMB) was popular. Attackers used various infiltration ways such as spreading malware distributed itself using the latest vulnerabilities, and attacking the server directly. Meanwhile, hacker's command control (C&C) servers were the most in US in 2Q. It seems because hackers used the US commercial cloud as the C&C server. Russia and China followed US.. The number of high-risk vulnerabilities identified in Q2 reached 1,110, nearing double 671 in 1Q. The company that had the most vulnerabilities was Google accounting for 11% of the total. Among the 126 Google vulnerabilities, 119 vulnerabilities were related to mobile OS, Android. Microsoft (8%), Adobe (7%) and Apple (6%) followed Google. KISA predicted that APT attacks and malware distribution will be very popular in 3Q based on the information collected by information extortion type malware because of the surge of information extortion type malware in 2Q. Web hosting company Nanyana, demaged by Ransomware, paid $ 1.2 million to hackers, so KISA worried the cases that hackers demand money will increase. KISA said, "We should pay special attention to internal network security management to prevent malware such as Petya Ransomware spread to the internal network from infecting. Please keep security updates of the OS and software up to date and periodically back up." [ Source : Yonhapnews Go, Hyun Sil okko@yna.co.kr | 2017.07.19 | http://www.yonhapnews.co.kr/bulletin/2017/07/19/0200000000AKR20170719176300017.HTML ]
2017.07.19

WannaCry ransomware massively attacks computer systems all over the world

Author
admin
Date
2017-05-14 21:45
Views
174
wannacry infection map

A new ransomware strain named WannaCry (aka WannaDecryptor, aka WannaCryptor, aka WanaCypt0r, aka WCry) has infected more than 57,000 computers in 74 countries around the world so far.

According to Avast malware researcher Jakub Kroustek, most of the detections are coming from Russia, Ukraine, India and Taiwan.

wannacry attack distribution

Kaspersky Lab forum users report that the WannaCry ransomware managed to infiltrate the internal computer system of the Ministry of Internal Affairs of Russia and Investigative Committee of Russia.

“It first appeared in February 2017, but now it’s updated and looks different than previous versions”, said one of the Kaspersky Lab forum users.

Spain’s Computer Emergency Response Team CCN-CERT also posted an alert on their site about a widescale ransomware attack affecting a few Spanish organizations.

The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions.

The WannaCry attacks are initiated using an SMBv2 remote code execution in Microsoft Windows OS. The EternalBlue exploit has been made publically available through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14. However, many companies and public organizations have not yet installed the patch to their systems.

The ransomware encrypts the files and also drops multiple ransomware notes on different languages. WannaCry demands to pay $300 in Bitcoin wallet.

WannaCry virus provides timer countdown warning that the payment amount will be raised after 3 days and the victim will completely lose their personal files after 7 days.

wannacry ransom demand

The ransomware also changes the victim’s wallpaper with instructions on how to pay the ransom demand and how to get the decryptor tool.

wannacry ransom note

The transactions statistics of Bitcoin wallets used by WannaCry creators show that some of the victims have already paid the ransom.

The file extensions targeted by the WannaCry ransomware include:
  • Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).

  • Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv).

  • Emails and email databases (.eml, .msg, .ost, .pst, .edb).

  • Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).

  • Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).

  • Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).

  • Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).

  • Virtual machine files (.vmx, .vmdk, .vdi).


How to Prevent WannaCry infection?

1. Make sure that all hosts have enabled endpoint anti-malware solutions.
2. Install the official Windows patch (MS17-010), which closes the SMB Server vulnerability used in this ransomware attack.
3. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Make sure MS17-010 patches are installed.
4. Backup all important data to an external hard drive or cloud storage service.

[Source : MalwareLess, May 12, 2017, https://malwareless.com/wannacry-ransomware-massively-attacks-computer-systems-world]

A more obvious defense is to install a Zombie ZERO that defends a new Ransomware based on behaviors.
Zombie ZERO can defend the second WannaCry against new and variant Ransomware without signatures. Existing antiviruses can not prevent the upcoming WannaCry, a new malware.
For more information, please call +82-2-1544-5317 or visit www.npcore.com.

Go to Ransomware Response Solution on Endpoint : ZombieZERO EDR for Ransomware