Malware in the media – May’s lesson

Month after month, our Real-World Protection Tests show an increase in ransomware prevalence.  For people following the security industry, this is no surprise, since many security vendors (e.g. Adaware and Avast) have been predicting this.

The “star” of this month’s media attention was WannaCry. The high media coverage was caused not only by its massive outbreak in over 150 countries in a few days (according to CrowdStrike), but also because it has all the elements of an exciting 007 movie: a plot with a national security agency causing the problem (Emsisoft: “WannaCry outbreak caused by NSA exploits”); a conspiracy theory with an evil organization (The Shadow Brokers), possibly connected to a rogue nation (Symantec: “WannaCry attack shows strong links with North Korean Lazarus Group”); a young hero (22-year-old Marcus Hutchins, AKA MalwareTech) saving the world from further damage by activating the built-in kill switch by the quick registration of an internet domain name.

Despite all the media attention, it was not WannaCry but the Jaff ransomware that affected the most victims in May (eScan: “Ransomware variants vying for top slot”). Jaff ransomware is often delivered through spam emails containing a PDF attachment. When the attachment is opened, an embedded word document with macros is started. If the user ignores the macro warning and lets them run, a copy of the actual ransomware will be downloaded and executed.

Safe computing habits and an updated system with an antivirus program will protect against most ransomware attacks. The infection statistics for the recent WannaCry outbreak clearly illustrate the importance of an updated security product and operating system. Contrary to initial belief it was not XP, but Windows 7 systems that were worst hit by the WannaCry ransomware (98% of cases, according to Kaspersky Lab’s Costin Raiu).

Whilst Microsoft’s inclusion of basic antivirus protection in Windows 8.1 and 10 is in principle commendable, there are a couple of areas of possible concern which should be noted. Firstly, the same name (Windows Defender) is used for the antispyware-only program in Windows 7 as for the full antimalware program in Windows 8.1/10; some security researchers think that security-unaware PC users may believe their Windows 7 systems are fully protected without additional antivirus software, which they are not. Secondly, as ESET point out (based on Microsoft data), a monoculture of security software would make far more systems vulnerable, as attackers would only have to work out how to bypass a single antivirus program.