At the end of every year, our experts analyze the incidents that occurred and name one incident (or a trend) the story of the year. This year they did not have much to debate: 2017 was obviously the year of ransomware. Three ransomware epidemics (WannaCry, ExPetr, and the slightly less famous Bad Rabbit) attracted a lot of attention, but at least one only seemed to be encrypting ransomware.
Note that, although the incidents were sudden and took many users by surprise, our experts predicted the trends back in 2016. Costin Raiu and Juan Andres Guerrero-Saade wrote in Securelist’s forecasts for 2017 that they expected the emergence of ransomware that could “lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.”
Let’s recall the most important lessons of these attacks.
Malware’s lateral movement
Those epidemics became famous because the malware encrypted not just one computer, but all of the machines on a network. This level of infiltration was possible thanks to the vulnerabilities disclosed by the Shadow Brokers information sink.
By the time the epidemics began, however, the patches to prevent them already existed — but a lot of machines didn’t have them yet. Moreover, some intruders are still using those vulnerabilities to this day (and quite successfully, unfortunately).
Lesson 1: Install updates when they become available, especially if they are directly related to security.
Among the victims of the encryptors were many systems that were completely unprotected from the ransomware, just because no one thought they had to be. Some of those systems were information panels and vending machines. Frankly speaking, nothing exists on those systems to encrypt, and no one would pay to decrypt them.
But in those cases, the attackers did not choose