At the end of every year, our experts analyze the incidents that occurred and name one incident (or a trend) the story of the year. This year they did not have much to debate: 2017 was obviously the year of ransomware. Three ransomware epidemics (WannaCry, ExPetr, and the slightly less famous Bad Rabbit) attracted a lot of attention, but at least one only seemed to be encrypting ransomware.
Note that, although the incidents were sudden and took many users by surprise, our experts predicted the trends back in 2016. Costin Raiu and Juan Andres Guerrero-Saade wrote in Securelist’s forecasts for 2017 that they expected the emergence of ransomware that could “lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.”
Let’s recall the most important lessons of these attacks.
Malware’s lateral movement
Those epidemics became famous because the malware encrypted not just one computer, but all of the machines on a network. This level of infiltration was possible thanks to the vulnerabilities disclosed by the Shadow Brokers information sink.
By the time the epidemics began, however, the patches to prevent them already existed — but a lot of machines didn’t have them yet. Moreover, some intruders are still using those vulnerabilities to this day (and quite successfully, unfortunately).
Lesson 1: Install updates when they become available, especially if they are directly related to security.
Among the victims of the encryptors were many systems that were completely unprotected from the ransomware, just because no one thought they had to be. Some of those systems were information panels and vending machines. Frankly speaking, nothing exists on those systems to encrypt, and no one would pay to decrypt them.
But in those cases, the attackers did not choose their targets; they infected everything they could. The damage was significant. Reinstalling operating systems on those noncritical machines was and continues to be a costly time-sink.
Lesson 2: Protect all elements of your information infrastructure.
Sabotage instead of extortion
ExPetr lacked a mechanism that could identify a particular victim, which meant that even if the attackers wanted to, they could not give victims a decryption key. From that we can assume their aim was to cause as much damage as possible, and any ransom they collected was a bonus.
This once again confirms that paying ransom is not a reliable method of data recovery.
Lesson 3: The only real way not to lose your data is to back it up and to proactively install protective solutions.
Let’s hope that these lessons will minimize the damage from similar attacks in the future. After all, according to our experts, in the next year, cybercriminals will continue to use encrypting malware in the style of ExPetr: as a cyberweapon for information destruction. You can find more details of our researchers’ predictions for 2018 in this blog post on Securelist.