With the widespread spread of ransomware, it has brought serious threats to the data of enterprises and individuals. 360 Internet Security Center has conducted multi-directional monitoring and defense against ransomware. According to this month’s feedback data, the spread of ransomware is on the decline, while the proportion of users infected due to bugs in the system has increased this month.
Analysis of infection data
Through the statistical analysis of ransomware infection data in this month, the number of feedbacks in October decreased slightly compared with September. The main reason for the decrease of the overall feedback in October is that the number of infected systems affected by weak password blasting is reduced. However, for the environment with such risks (such as enabling remote desktop function, using shared folder, MSSQL database service, Tomcat, etc.), attention should still be paid to the problem of weak password attack.
Figure 1. Feedback quantity statistics in 2018
Analysis of data monitored by 360 Protection’s data center revealed a small ransomware outbreak on October 22. This small outbreak was mainly caused by the GandCrab ransomware virus, and the main way of transmission was password blasting.
Figure 2. Ransomware infection trends in October
Based on the analysis of ransomware family distribution in October, GandCrab family has surpassed Crysis family and GlobeImposter family to become the most spread family. Part of the reasons are analyzed:
- GandCrab virus is sold on the dark web, using the sharing model, and more people buy the ransomware.
- The ransomware maker also created and maintained a community of GandCrab spenders, recruiting them and providing technical support. The threshold of use is lower than other major ransomware viruses.
- GandCrab’s ransomware has also increased its “visibility” to a certain extent, with more recent news events (such as this month’s widely publicized incident in which a Syrian father posted a request for help on Twitter and photos of his deceased son were encrypted by GandCrab’s ransomware). And there are some criminals with designs.
Figure 3. Ransomware feedback distribution in October
Windows7 system still accounts for the largest proportion of infected systems.
Figure 4. Statistics of infected systems in October
By comparing the infected systems in September and October, it was found that the proportion of infected servers continued to increase in October. In recent months, the percentage of infections on servers has risen month by month, not only because servers are more valuable to attack, but because more services are deployed on them and their exposure is greater, and attacks on servers remain high.
Figure 5. Comparison of infected systems in September and October
The latest on ransomware
As mentioned above, the spread of both Crysis family and GlobeImposter family decreased this month, but both families are still updating viruses from the versions used, so the protection of weak passwords still needs to be paid more attention. This month Crysis added suffix XXXX and BETTA; The GlobeImposter family adds suffixes Help4444 and Crypted_bizarrio@pay4me_in.
| family | Crysis family | GlobeImposter family |
| The suffix | COMBO | Dragon4444 |
| GAMMA | Snake4444 | |
| BIP | Horse4444 | |
| BGTX | Rooster4444 | |
| XXXX | Help4444 | |
| BETTA | ALCO | |
| – | ROCK | |
| – | crypted_bizarrio@pay4me_in | |
| – | ZYX | |
|
– |
Table 1. Crysis family, GlobeImposter family use suffixes this month
This month, GandCrab ransomware spread through RDP reached its peak on October 22, while GandCrab ransomware spread through vulnerability reached its peak on October 25.
Figure 6. GandCrab ransomware family spread trend this month
The main reason for the peak on October 25 was that the previous version of the ransomware had been successfully cracked, and the makers of the ransomware released a new version of the ransomware on that day. Users infected with previous versions of GandCrab can decrypt with master 360, which supports all previous versions, including GandCrab V5.0.3.
Figure 7. Decrypt the file encrypted by GandCrab
In the process of user help, it was found that there are still users who download cracking software to cause the machine to be blackmailed. Remind broad user again here, if the crack software that downloads is tipped by anti-virus software virus is checked and killed, certainly do not take risks to run, contain virus Trojan horse very likely among them. This is the GandCrab ransomware download page below. It encrypts your files, and the latest version of the GandCrab ransomware is currently uncrackable.
Figure 8. GandCrab ransomware common induced download page
In addition, according to data monitored by the 360 Protection Center, Satan ransomware has been updated to V4.2, with a new addition in the latest version that exploits CVE-2018-2894 (WebLogic Arbitrary file upload vulnerability) to spread.
Figure 9. Vulnerability utilization of CVE-2018-2894
Statistically, Satan broke out on October 15th and reached its peak on October 27th. After analyzing samples of the latest version of Satan, security researchers at 360 discovered that the ransomware’s encryption can be broken, and released a decryption tool called Satan V4.2 on October 22.
Figure 10. Trends in the spread of Satan
This month we also monitored a new ransomware called sicck. The ransomware will ask the user for a bit to decrypt the file, but it has some problems in the generation of the ransomware message – only run under the administrator permission, can successfully generate the ransomware message.
Figure 11. Sicck ransomware message
Sicck ransomware analysis found that in the encryption user system files need to skip some folders do not encrypt, which includes 360 related folders, the ransomware is likely to be a domestic ransomware.
Figure 12. Sicck ransomware analysis
Hackers information
Here are the ransomware email addresses hackers have been using since October
|
crypted_bizarrio@pay4me_in |
||
|
crypted_marztoneb@tutanota_de |
||
|
eight1.hundred |
||
|
minotaur0428blaze.it |
||
|
crypted_okumura@firemail |
||
Table 2. Hacker mailbox
Data protection
According to the distribution of attacked systems, Windows Server 2003 accounts for the highest proportion of attacked server versions, followed by Windows Server 2008 and Then Windows Server 2012. You are advised not to use an unsupported operating system and to upgrade to a new operating system, which provides better security protection.
Figure 13. Distribution of attacked systems in October
The following is the attacked region distribution map based on the attacked IP sampling in October. Compared with those collected in previous months, there is no significant difference in the ranking and proportion of the regions. Regions with advanced information technology industries are still the main targets of attacks.
Figure 14. Distribution of attacked areas in October
Comparing the trend of weak password attacks in October and September, it can be found that the number of attacks against RDP is on the rise: in September, the maximum number of attacks per day was more than 4 million, and in October, the maximum number of attacks per day was more than 6 million and nearly 7 million. The number of attacks against mysql has decreased significantly: it peaked at nearly 20 million in A day in September, and peaked at just over 1 million in a day in October.
Figure 15. Trend of attack types
conclusion
Ransomware attacks against servers have become a major direction of the current ransomware, enterprises also need to strengthen their own information security management ability, especially weak passwords, vulnerabilities, file sharing and remote desktop management, in order to deal with the threat of ransomware, again we give you some suggestions:
- Multiple machines, do not use the same account and password, password should have enough length and complexity, and regularly change the login password;
- Important data should be set access control, and do a good backup work;
- Close non-essential services and ports, check the security updates in the system and software regularly, and install patches in time;
- Install professional security protection software on the server, periodically check the security running of the server (including account information, Windows logs, and security software logs), and handle exceptions as soon as possible.