Subscribe

Africa's top ransomware families revealed

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 23 Nov 2017
While ransomware predominately attacked Windows systems, Android, Linux and MacOS platforms were not immune.
While ransomware predominately attacked Windows systems, Android, Linux and MacOS platforms were not immune.

Cyber security vendor Sophos has identified the top ransomware families that affected Africa in 2017.

According to Sophos, the Ceber ransomware accounted for 80% of attacks in Africa, followed by WannaCry (17%), and others like Jaff (1%), Locky (1%) and Petya (0.5%).

One of the most active kinds of ransomware out there, Cerber encrypts the files of infected users and demands money in exchange for enabling access to their files. It works even if a user is not connected to the Internet, so they can't stop it by unplugging their PC.

Cerber, sold as a ransomware kit on the Dark Web, remains a dangerous threat, says Sophos, adding the creators of Cerber continuously update the code and charge a percentage of the ransom that the "middle-men" attackers receive from victims.

Regular new features make Cerber not only an effective attack tool, but perennially available to cyber criminals, the cyber security firm notes.

"This Dark Web business model is unfortunately working and, similar to a legitimate company, is likely funding the ongoing development of Cerber. We can assume the profits are motivating the authors to maintain the code," says Dorka Palotay, SophosLabs security researcher and contributor to the ransomware analysis in the SophosLabs 2018 Malware Forecast.

Windows vulnerability

The WannaCry ransomware attack was a May 2017 worldwide cyber attack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin crypto-currency.

WannaCry also affected a number of South African organisations.

"Looking at the whole world, WannaCry was responsible for 45.3% of the ransomware attacks, while in Africa this value is only 17%," Palotay says.

"In Africa, clearly Cerber was the biggest ransomware threat this year, since 80% of the ransomware lookups was caused by Cerber, while this number is only 44.2% if we look at the whole world. Regarding the smaller families, the results are very similar."

The SophosLabs 2018 Malware Forecast report recaps ransomware and other cyber security trends based on data collected from Sophos customer computers worldwide from 1 April to 3 October 2017.

One key finding shows that while ransomware predominately attacked Windows systems in the last six months, Android, Linux and MacOS platforms were not immune.

"Ransomware has become platform-agnostic. Ransomware mostly targets Windows computers, but this year, SophosLabs saw an increased amount of crypto-attacks on different devices and operating systems used by our customers worldwide," says Palotay.

She notes that for the first time Sophos saw ransomware with worm-like characteristics, which contributed to the rapid expansion of WannaCry.

"This ransomware took advantage of a known Windows vulnerability to infect and spread to computers, making it hard to control.

"Even though our customers are protected against it and WannaCry has tapered off, we still see the threat because of its inherent nature to keep scanning and attacking computers. We're expecting cyber criminals to build upon this ability to replicate as seen in WannaCry and NotPetya, and this is already evident with Bad Rabbit ransomware, which shows many similarities to NotPetya."

Android attacks

Top ransomware families in Africa. (Source: SophosLabs)
Top ransomware families in Africa. (Source: SophosLabs)

Android ransomware is also attracting cyber criminals, the report says. According to SophosLabs' analysis, the number of attacks on Sophos customers using Android devices increased almost every month in 2017.

The SophosLabs report further indicates two types of Android attack methods emerged: locking the phone without encrypting data, and locking the phone while encrypting the data.

It points out that most ransomware on Android doesn't encrypt user data, but the sheer act of locking a screen in exchange for money is enough to cause people grief, especially considering how many times in a single day information is accessed on a personal device.

"Sophos recommends backing up phones on a regular schedule, similar to a computer, to preserve data and avoid paying ransom just to regain access. We expect ransomware for Android to continue to increase and dominate as the leading type of malware on this mobile platform in the coming year," says Rowland Yu, a SophosLabs security researcher and contributor to the SophosLabs 2018 Malware Forecast.

Share