Q: In the report’s timeline for 2017’s biggest ransomware attacks, we see that NotPetya peaked strong and then fizzled. Why is this?
A: NotPetya was initially distributed via a Ukranian accounting software package, limiting its geographic impact. It was able to spread via the EternalBlue exploit, just like WannaCry. But because WannaCry had already infected most exposed machines, there were few left unpatched and vulnerable.
WannaCry continued to linger for the second half of 2017. Why?
The noise we see from WannaCry is reminiscent of worms of yesteryear. They have a large bark with little bite. After initially spreading around the globe, they run out of unpatched victims to infect, but they don’t know that. They keep scanning and attacking, triggering antivirus detections, but actually not really continuing to cause harm, just background radiation.
How has Cerber remained so strong over the years and why?
Cerber is higher-quality code than we often see in malware and the incredible profits seem to be motivating its authors to continue to duke and dodge security products to keep the cash flowing in.
We talk in the report about malware distributed on the Dark Web. In recent months we’ve seen how cybercriminals’ tactics can come back to haunt them. What’s going on here?
After years of doing criminal business in the open on the Dark Web, the bad guys have gotten careless with their operational security. Increasingly, we see mistakes leading to the uncloaking of some of the most infamous handles online. There have been many arrests and takedowns this year, like Hansa Market and Alpha Bay, and I expect that will continue into 2018. The police have figured out how to work in these dark corners and are making a mockery of the poor security employed by the crooks.