Qihoo 360’s precise analysis of ransomware for August [source: 360totalsecurity]

03 Sep 2018

No Comments

1529

Ransomware has posed a serious threat to the data security of enterprises and individuals. Fortunately, 360 Internet Security Center has detected and defensed ransomware immediately. According to the feedback from our users, we found that the number of our users attacked by ransomware shows a slight upward trend in August. Also, the highest number of single-day interceptions for weak passwords reached more than 6 million times, which is 200 million times higher than the previous month.

Analysis
The statistics on ransomware infection of 2018 shows that the number of infected users has a slight upward trend from July to August, due to the new appearance of KEYPASS family, ACCDFISA family, and ONI family. At the same time, the number of users infected with GlbeImposter also grew up dramatically after mid-August.

From our users’ feedback data for August 2018, the number of ransomware spread through software vulnerabilities and system vulnerabilities decreased significantly. Hackers still saw through enabling victims’ rdp (Remote Desktop Protocol) as the first choice to spread the ransomware. To attack victims’ rdp, hackers mainly exploited the negligence of server administrators who set weak passwords for server accounts. Although weak passwords are commonly set to make their login process much easier, it leaves a door wide open for hackers to launch attacks.

After analyzing the data for August, we found that in mid-late August, two large increases in the number of ransomware infections were caused by the outbreak of the GlobeImposter family.

For the analysis of infected systems, the infection volume of Windows 7 system is still by far the largest.

But by comparing to the infected system in the previous month, it is found that the number of infected systems increased from 10% to 22% between July and August. The compromise of the server systems commonly means that there are still many machines in the enterprise that are threatened. There are two main reasons that cause the servers of the enterprise to be infected. The first of these is the opening of shared folders within the enterprise and the lack of proper rights management. The second is the machine that has the Remote Desktotp Protocol enabled on the intranet. The security of the server is important, and the increase in the proportion of infected servers means that the risk of ransomware is much higher.

For more, click here.