Ransomware that inflicts severe damage on corporate IT systems
Ransomware is indiscriminate on its targets. It is a type of that infects smartphones, tablets, computers, and servers to render the device inaccessible by locking the screen or encrypting its files. In order to regain access, the user must pay up.
Ransomware began to appear in earnest in Japan around 2013 and the first Japanese language ransomware was confirmed in 2014.
Fig. 1: A sample notification screen that appears on the desktop demanding a ransom be paid after being infected by ransomware (research by Trend Micro)
Once infected by ransomware, the device may become inoperable or important business files, such as text documents, spreadsheets, images, and databases may be encrypted. In many cases, victims are forced to recover through backups or reset the device to the default settings. Even if the user gives in and pays the ransom, there is no guarantee that the files will be recovered. The user may even become target for further attacks, or the information the user provided to make the payment could be used for malicious purposes. As a result, such actions may inflict significant damage to system operations and adversely impact businesses.
In 2016, a record-breaking increase of ransomware was confirmed worldwide. Damage from ransomware—the number of devices from which they were detected on, as well as the number of reported cases were the highest ever in Japan . Cybercriminals are increasingly and actively using ransomware in their moneymaking schemes.
Figure 2. Number of ransomware detected in Japan
Figure 3. Number of reported ransomware infections in Japan
As indicated in Figure 3, which illustrates the reported cases of ransomware, the threat is especially severe for enterprises.
An investigation was conducted by Trend Micro involving 534 people who make IT-related decisions in enterprises and organizations, as well as those who are involved in the process. The results showed that 25.1% (134 people) of them have experienced ransomware attacks at their workplace, and it was confirmed that approximately one out of every four companies was attacked by ransomware.
Ransomware seen to affect enterprise systems have been around since 2015. Ransomware that target enterprises not only encrypt infected devices but also all the drives mounted on the device. It can also search for shared folders on the network and encrypt those files as well. There has also been a ransomware that destroys backups on servers and infiltrates the organization’s network similar to a typical targeted attack.
It is also necessary to understand the ransomware’s infection vectors. Ransomware mainly uses emails and URLs to attempt infection. According to the Trend Micro roundup, among all the ransomware detected in 2016, nearly 80% was accounted to emails. Most of these were random attacks to unspecified targets, however, no matter how limited, several cases of attacks in the country were specialized; in other words, they were targeted toward specific enterprise entities.
The confirmed targeted email attacks shared several common traits, such as using an email written in Japanese that targeted only a limited number of enterprise users, not directly attaching the malware to the email but tricking the receivers into downloading them from cloud storage, and the fact that the ransomware being used were ones still unidentified in Japan. This raises concerns that targeted ransomware attacks will be more common from now on.
Figure 4. The trend of the confirmed string of Japanese emails that targeted enterprise users in October and November of 2016 (research by Trend Micro)
Figure 5. A sample of a PDF file attached to Japanese emails that targeted enterprise users in October and November of 2016 (the email urge users to download ransomware by claiming it is a “malware removal tool”)
On the other hand, web-related ransomware infection happens when cybercriminals lure users to tampered-with legitimate websites run by enterprises and organizations, or they abuse web advertisements to display malicious advertisements. If the user’s device is not appropriately patched if this happens, such attacks can exploit vulnerabilities and infect the device with ransomware even if the user was only browsing through the website.
How ransomware infection occurs through malicious advertisements. Trend Micro Official YouTube Channel.