Statistics and Development of the WannaCry Ransomware

Nick Savvides, Security Advocate at Symantec Asia Pacific and Japan

When did WannaCry appear and how quickly did it spread?
WannaCry first appeared on Friday, May 12. Symantec saw a dramatic upsurge in the number of attempts to exploit the Windows vulnerability used by WannaCry from approximately 8:00 GMT onwards. The number of exploit attempts blocked by Symantec dropped slightly on Saturday and Sunday but remained quite high. Exploit numbers increased on Monday, presumably as people returned to work after the weekend.

Symantec blocks 22 million attempted WannaCry ransomware threats globally – full release here
  • Symantec today reported it has blocked nearly 22 million WannaCry infection attempts across 300,000 endpoints, providing full protection for Symantec customers through its advanced exploit protection technology. 
·         Real-time sharing of threat intelligence between endpoint and network systems – across both Symantec Endpoint Protection and the Blue Coat ProxySG –  as well as machine learning technologies, helped ensure endpoint customers were fully protected.
  • Symantec Endpoint Protection and Norton customers are fully protected from WannacCry by multiple layers of advanced protection. This includes Symantec’s new advanced machine learning, proactive network exploit protection, SONAR behavioral protection, and the Intelligent Threat Cloud.

Do you see the situation escalating? If so what is the best course of action from an overall corporate and country perspective in order to mount a robust defence against these threats?

This attack and variants of it have the potential to escalate, as many organisations still haven’t applied the patches to prevent the automatic spread. The best defense is to ensure the operating systems and security software are up to date and importantly educate users to exercise caution and understand the threats.

Best practices for protecting against ransomware
·         Alwaykeep your security software up to date to protect yourself against them.
·         Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
·         Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
·         Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
·         Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
·         Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.

Do you expect more such attacks to occur down the road?

Yes, ransomware is extremely profitable for cyber-crimanls and we expect this to continue. The profitability of ransomware has attracted new cyber-criminals to it, Symantec research shows ransomware attacks grew to 463,841 in 2016, up from 340,665 attacks in 2015 (36% increase) globally. The average ransom per victim grew to $1,077 in 2016, up from $294 in 2015 (266% increase) globally.

Would you reckon that ransomware and APT attacks are the most serious threats out there? Or do you see even more newer types of cyber-attack tools be deployed? 

APTs and ransomware are both very serious threats but operate at different ends of the cyber-crime spectrum. Ransomware is generally indiscriminate with the idea to infect as many people as possible to improve the chances of the ransom being paid as the motivation is purely financial. APTs on the other hand are extremely targeted, they are motivated by both money and politics. The cyber-criminals spend a lot of time planning their APTs and use very sophisticated tools to achieve their goals. Symantec expects both types of attacks to continue to evolve, to not just improve their ability to compromise but also their ability to evade detection

How many cases of WannaCry has Symantec seen? How many clients has it helped currently? Did any of them pay up?
  • Symantec does not actively monitor the number of WannaCry cases. The speed at which this strain of ransomware can infect users makes it extremely difficult to predict the extent of this infection.
  • Symantec recommends affected users not to pay the ransom. Paying criminals is never recommended, as it feeds them and rewards them for their crimes. There is also no guarantee that your files will be released back to you.

We hear that WannaCry is a hybrid of a worm and ransomware - how does it make the malware more potent? What's the worst case scenario this malware can have on society?
WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows.
  • Computers which do not have the latest Windows security updates applied are at risk of infection.

For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
    Blogger Comment
    Facebook Comment