statement
This article is to study the 2018 ransomware white paper for government and enterprises. The study notes are compiled and shared in the hope that more people will benefit. If there is any infringement, please contact us in time
Analysis of Government and Enterprise Encountering Extortion Attacks
Since infected government and enterprise customers are more likely to get ransom, and the ransomware itself is mainly server-oriented attacks, so in 2018, government and enterprise customers were particularly aggressively attacked by ransomware, and all walks of life were attacked indiscriminately .
Attack power
The data in this section comes from Qi Anxin Enterprise Security public cloud security monitoring data (only including domestic and excluding WannaCry data), with the daily attacked terminal as the basic research unit, and the ransomware that can be killed locally is not included in the statistics.
Abstract: Ransomware attacks on government and enterprise units are mainly based on single-point testing, and 79.8% only try to attack one terminal.
Among the ransomware attack incidents encountered by government and enterprise units, the proportion of a single attack incident targeting only one terminal in a single day accounted for 79.8% of the total attack incidents, and only 0.6% of the attack incidents targeted more than 50 terminals in total .
Abstract: Units in the government industry are most vulnerable to ransomware attacks, accounting for 21.0% of the total number of units attacked.
Among the government and enterprise units that were attacked by ransomware, the number of government units was the largest, accounting for 21.0% of the total number of attacked units; followed by health and energy units, accounting for 12.1% and 8.8% respectively.
Abstract: Terminals in the financial industry are most vulnerable to ransomware attacks, accounting for 31.8% of the total number of attacked terminals.
Among government and enterprise terminals that were attacked by ransomware, financial industry terminals accounted for the most, accounting for 31.8% of the total number of attack terminals; followed by government and energy terminals, accounting for 10.4% and 9.0% respectively.
infection analysis
The data in this section comes from the emergency response requests received by Qi Anxin Terminal Security Laboratory after government and enterprise units were infected with ransomware. The overall infection range of government and enterprise users has reached a record high, which can be said to be an unprecedented impact.
Abstract: May is the peak of ransomware infection in government and enterprise units, and its value is 5.3 times that of the lowest point.
In 2018, the peak of ransomware infection in government and enterprise units occurred in May, and the lowest point occurred in February. The number of units infected with ransomware in the peak month was 5.3 times that of the lowest point.
Abstract: Government units are the hardest-hit areas infected with ransomware, accounting for 24.1% of the total number of infected government and enterprise units.
Among the government and enterprise units infected by ransomware, government units accounted for the highest proportion, accounting for 24.1% of the total number of infected government and enterprise units; followed by health and public security units, accounting for 14.9% and 7.2% respectively.
Abstract: GlobeImposter is the most difficult to prevent, 34.0% of the victimized government and enterprise units have been infected with the ransomware.
Among government and enterprise units infected with ransomware, 34.0% were infected with GlobeImposter, 22.0% were infected with GandCrab, 17.6% were infected with Crysis, 10.1% were infected with Satan, and 7.5% were still infected with WannaCry.
Abstract: The four major ransomware viruses all like to infect government industries, while the infection of WannaCry is relatively average.
GlobeImposter is most infected by government units, accounting for 29.6% of the total number of infected government and enterprise units; followed by the health industry, accounting for 16.7%; GandCrab is most infected by government units, accounting for 28.6% of the total number of infected government and enterprise units; followed by public security law industry, accounting for 11.4%; government units are the most infected by Crysis, accounting for 25.0% of the total number of infected government and enterprise units; followed by the health industry, accounting for 21.4%; Satan is most infected by government units, accounting for 25.0% of the total number of infected government and enterprise units 25.0% of the total; followed by the health industry, accounting for 18.8%; and WannaCry infections are relatively average.
Forecast on the development trend of ransomware
In 2018, the impact and harm of ransomware attacks reached a new height, especially the attacks on servers, which brought unprecedented impact to the majority of government and enterprise users. Qi Anxin Terminal Security Lab predicts that in 2019, the threat of ransomware virus will still lead the list of virus threats.
The following is a forecast analysis of the future development trend of ransomware from different aspects.
Keeping pace with vulnerability development
In 2018, apart from Satan using many web application vulnerabilities to spread, GandCrab is the most technologically aggressive. 0896 and other exploit techniques.
More ways to spread
In 2018, in addition to the conventional model, there was a new method of spreading ransomware using USB flash drive worms. In addition, using the software supply chain to spread ransomware was also realized this year, causing a large number of users to be attacked in a short period of time. We expect that the spread of ransomware will continue to expand in 2019.
Attack Surface and Target Expansion
The RushQL Oracle database ransomware that appeared in 2016 was revived in 2018. The biggest difference between this virus and other ransomware is that it only destroys the structure of the database instead of encrypting disk files, which is a typical database attack. We expect that the targets of ransomware attacks will continue to expand in 2019, including various operating systems and applications will become targets of ransomware attacks.
The types of devices being attacked continue to expand
In the past, ransomware mainly attacked PCs, servers, and some mobile devices. In the future, industrial control devices, embedded devices, and IoT devices may all be at risk of ransomware attacks.
further reading
More content can be found in the 2018 Ransomware White Paper for Government and Enterprise. Further study