Computer Security Technology Ltd

+44 (0)20 7621 7836 LinkedInTwitter

+44 (0)20 7621 7836 CSTL LinkedInCSTL Twitter

July 27, 2016

Huge surge in Android ransomware attacks

Kaspersky reports that ransomware attacks are on the rise with almost four times as many Android devices subjected to attempted attacks between 2015 and 2016 than between 2014 and 2015.

Ransomware attacks are rising in popularity, it seems, as almost four times as many Android devices were subjected to attempted attacks between 2015 and 2016 than between 2014 and 2015, according to Kaspersky Lab.

The figures only apply to devices running Kaspersky Lab’s security software, and it is not known how many of the attacks were actually successful. Between April 2015 and March 2016, some 136,532 Android devices fought off ransomware attacks at least once. In comparison, just 35,413 gadgets were unsuccessfully targeted over the same period in 2014 – 2015.

Traditionally, it’s PCs that are targeted by ransomware attackers, but the figures could indicate that mobile phone users will need to be just as cautious of possible attacks.

Attacks are rising because victims are willing to pay

Ransomware attacks can be hugely profitable for hackers. Once the device is broken into, the attacker locks the user’s files and issues a ransom, which usually states that if the user doesn’t pay up, the files will be deleted. Unfortunately, a lot of victims give in and pay – this is likely the reason the number of such attacks is rising at such a pace.

Kaspersky Lab states that there are many reasons ransomware is on the rise, including the fact that people are often willing to pay up. Many people don’t report the crime to the police, making it difficult for any prosecutions to be made. As the crime isn’t commonly reported, justifying launching an investigation is hard too, and forensics experts are left with little evidence to work with.

According to Kaspersky Lab, the vast majority (90 per cent) of attempted attacks could be contributed to four families of malware: Svpeng, Fusob, Pletor and Small. Moreover, users living in Germany, Canada and the United Kingdom are the most likely to be attacked by ransomware compared with any other type of malware. Some 23 per cent of German users almost fell victim to ransomware, as did 19 per cent of Canadians and 16 per cent of Brits.

Avoid becoming a victim of ransomware

There are three simple measures that all users should be taking in order to avoid becoming a victim of ransomware and other malicious software.

First of all, you should implement an email filtering software to sift out the majority of dodgy emails and their attachments. Secondly, stop opening suspicious files from email addresses you do not recognise. Third of all, you should install an anti-virus solution and keep it up to date – not doing the latter could mean newer malware slips through the net.

The key is undoubtedly to be extra vigilant, revisit and tweak existing defences to ensure they are optimised and maybe consider advanced detection to deal with these new threats.

Similarly we have observed a spike in email threats that don’t have an overt payload, making it almost impossible for Antivirus scanner to detect. Here’s a walkthrough of one such recent threat:

An email is sent with a subject line “URGENT - Statement of Account - Invoice overdue”. It has an attachment that’s a spreadsheet, the spreadsheet looks to be list of invoices that have nothing to do with the recipient or their business. Thinking it’s a simple mistake the email is closed and forgotten. However, the spreadsheet contained a simple macro to make a web call to a legitimate web site and download a file. The download is undertaken using HTTPS (TLS) to encrypt the communication and bypass gateway content controls. Worth noting is that the legitimate web site has been compromised without the Web Master of the site realising they are now harbouring such content and hence web site categorisation lists used to ensure safe browsing are made worthless.

So why was the spreadsheet not blocked by the email anti-malware scanner? Because it did not actually contain malware, rather it had a macro that is legitimately supported in most MS applications. In Summary, a dangerous file has now bypassed email and web perimeter controls and has been delivered to the endpoint. The result is that the last line of protection depends on the endpoint defence being robust and adequate (reasons why it may not be: does the endpoint have AV, is it active, is it optimised to detect advanced threats, are the signature library is up-to-date). Disturbingly, even if these controls are all in place, if the payload file is a variant such as non-replicating utility that encrypts files, then the AV scanner can mistakenly deem the file as legitimate rather than a threat. The final chapter of this walk through, is that at some later time the original recipient receives a message stating that their files been encrypted, and they need to make a bit-coin payment ransom payment!

Do you want to know more about these and similar risks, and what you can do to protect against them? Please call or email us: or tel 020 7621 7836.

CST awarded ‘Cyber Essentials Plus’ certification body status - we can help you achieve Cyber Defence recognition.
Cyber Essentials aims to help organisations implement fundamental levels of protection against cyber-attack, demonstrating to their customers that they take cyber security seriously. We can assist with the advice, and can undertake assessment to award you Cyber Essentials plus certification.