[metaslider id=2951] … Read More
The number of ransomware attacks targeting business users in 2017 rose to 26% as the number of new families discovered halved, according to new stats released this week by Kaspersky Lab.
The Russian AV firm claimed that 26.2% of attacks over the past year were aimed at corporates, with just over 4% targeting SMBs.
This would seem to represent just a small increase from the 22.6% of attacks aimed at business users in 2016. However, the vendor said these figures didn’t include the three mega ransomware worm campaigns of WannaCry, NotPetya (ExPetr) and BadRabbit.
There are other signs of an evolution in the ransomware landscape: the number of new malware families discovered by Kaspersky Lab dropped from 62 last year to just 38 in 2017.
However, it appears as if cyber-criminals are instead looking to modify existing strains in order to bypass security filters: the number of mods grew from 54,000 last year to 96,000 this.
Ransomware remains a serious threat to organizations, with two-thirds (65%) of those hit claiming to have lost a “significant” amount or even all of their data. Even the 29% that managed to decrypt their data said they lost a “significant” number of files.
Over a third (36%) ignored the advice of police and security experts and paid the ransom, but one in six never managed to recover their data.
There are also signs that ransomware is having a longer-lasting impact on the victim organization: 34% claimed they took a week or longer to recover from such an incident, versus 29% in 2016.
“The headline attacks of 2017 are an extreme example of growing criminal interest in corporate targets. We spotted this trend in 2016, it has accelerated throughout 2017, and shows no signs of slowing down,” argued senior malware analyst, Fedor Sinitsyn.
“Business victims are remarkably vulnerable, can be charged a higher ransom than individuals and are often willing to pay up in order to keep the business operational. New business-focused infection vectors, such as through remote desktop systems are not surprisingly also on the rise.”
This vector became increasingly popular in 2017, used to spread Crysis, Purgen/GlobeImposter and Cryakl ransomware variants, among others.
However, there was some good last year, after decryption keys were published for strains including ES-NI, xdata, Petya/Mischa/GoldenEye and Crysis — although the latter was subsequently resurrected.
Have a question about how to protect yourself against ransomware – Contact us
From SC Magazine – August 17, 2017 – Doug Olenick,
A new ransomware called SyncCrypt is using a unique method of downloading the malicious files that makes it very hard for an antivirus program to detect.
SyncCrypt was detected by Emisoft researcher xXToffeeXx, reported Bleeping Computer, and is spread via spam emails containing an attachment with .wsf (Windows Script File) files. What is unusual about this, other than a .wsf file being used – which is rare – said Bleeping Computer founder Lawrence Abrams, is the .wsf will download an image with embedded .zip files containing the ransomware.
“This method has also made the images undetectable by almost all antivirus vendors on VirusTotal,” Abrams said.
However, whether or not the image is opened the .zip file is downloaded and its contents, a sync.exe, readme.html and readme.png, are extracted, Abrams said. The good news is that while image file tends to pass through most antivirus files contained inside the .zip file are more susceptible to detection. Although Bleeping Computer found that VirusTotal still detected them less than 50 percent of the time.
If properly installed the files are encrypted with a .kk extension and then the ransom note appears giving the victim 48 hours to pay about 0.1 bitcoin.
At this time there is no way to decrypt the files and the best defense is to ensure all files are properly backed up.
Finding the best endpoint security for your enterprise is a complex, ever-changing task. Learn what features tools offer now to protect endpoints touching the enterprise systems.
When McAfee was formed in 1987 to sell the first commercial antivirus package, it set a baseline approach that has persisted to this day: Have a list of character strings that are unique to particular viruses and then scan files (and those files in memory) for the strings. Generally, if the scanner found one of the strings (the virus’s signature), it had very probably found a virus.
As other vendors emerged, they battled over their effectiveness at various aspects of this passive scanning approach. They focused on compiling the biggest, most comprehensive database of virus and malware signatures. The best endpoint security software available simply scanned for “bad” signatures every time a file was downloaded or opened. We use custom software development services so we know we’re getting the best software that we need for our business. Vendors would boast about having better research teams to catch more viruses.
A number of additional virus-hunting techniques were introduced over the years — heuristic scanning to deal with polymorphic viruses that purposefully avoided having consistently scannable signatures, allowing the software to run but cordoning off its requests to the operating system to watch for malicious behaviors, and the introduction of reputation-based ratings to score the likelihood that a given executable could be relied on to be safe. But the basic pattern held: A monolithic software package at the endpoint watched all the new files and called out known bad actors.
Recently, though, the enhancements have begun to overtake the core static scanning components of antivirus software. “Next-gen” endpoint security tools have emerged as a new product category with specific characteristics.
Real-time a defining trait of next-generation endpoint security
Signature files are static and threats are dynamic. At a certain point, it simply became impractical (if not impossible) to update signature files incessantly and instantaneously in an attempt to contend with zero-day threats. These are by definition threats that no virus collector has yet catalogued as of the moment they are launched.
So, if anything, “real-time” is the defining characteristic of the best endpoint security offerings in the next generation of tools. For many products, this means jettisoning the endpoint-resident signature file altogether and using different means to ferret out viruses and malware.
Analysis replaces signature matching
In next-gen tools, the best endpoint security offerings replace signature matching with analysis (in real-time, of course). Different products, naturally, will analyze different aspects and attributes to determine if a piece of code represents a threat to the endpoint.
Some of the analysis techniques have evolved from traditional endpoint products. For example, reputation analysis has been in use for a number of years. This technique generally involves searching a database containing lists of known “bad actor” IP addresses and websites that have been confirmed to be sources of malware.
For some traditional vendors, moving to next-gen tools means taking various techniques that they have developed over the years within their traditional product line and integrating to provide a more effective solution.
Many security products will evaluate multiple attributes of a piece of code. Each piece of information would be used to build a risk score that, ultimately, would help the tool determine whether the code should be blocked. One next-gen vendor claims to have developed over six million possible indicators of malware and uses that information to determine whether a given piece of code is malware.
Isolation aids analysis
Another variation of analysis involves simply letting the suspect code run on your system, to analyze what it does. If it tries do something bad, like erase files or make outbound network contact without authorization, then by definition it is malware and should be contained.
This approach, known generally as sandboxing, is not new. What is new is the implementation: One vendor leverages the high-performance virtualization features built into most PC hardware these days. That vendor creates a micro VM that can be termed a one-sample sandbox. The code is run, its behavior analyzed, a threat decision is made and the VM is discarded. Every sample gets its own fresh VM within which to run and be analyzed.
Even best endpoint security tools can’t do it all
In the realm of next-gen endpoint security, niche vendors are continually coming up with new takes on the issue. There are always new features being added. But it’s also important to understand what next-gen endpoint security is not. It is not a one-size-fits-all solution to your endpoint security woes. Nor is it a “me, too” list of vendors all doing the same thing. And, importantly it is not necessarily meant to be a total replacement for traditional endpoint security. It is simply a means to obtain the best endpoint security possible which is, in turn, a key element of an overall approach to keeping your systems secure.
Given the latest reports by both Kaspersky and the Anti-Phishing Working Group it is imperative that corporations ensure that their end users are trained in spotting a phishing attempt.
The number of cyberattacks targeting financial institutions and their customers soared to new heights in 2016, according to Kaspersky Lab, which observed nearly 1.09 million banking trojan attacks on users in 2016 – a roughly 30.6 percent jump over the previous year.
Meanwhile, of the nearly 155 million phishing attacks detected on Windows machines by Kaspersky in 2016, about 47.5 percent impersonated banks, payment service providers (e.g. PayPal and Visa) or e-shops (e.g. Amazon and eBay), compared to roughly 34.3 percent in 2015. “At the moment this is the highest percentage of financial phishing ever registered by Kaspersky Lab,” the company noted in its “Financial Cyberthreats in 2016” report, issued Wednesday.
In another first, Kaspersky found that phishing pages impersonated legitimate banking services more often than any other online service offering, including global web portals and social networks. Phishers imitated banking sites about 25.8 percent of the time, compared to approximately 17.4 percent of the time in 2015. Phishing attacks in 2016 that imitated e-shops and payment services also surpassed their respective 2015 shares.
Amazon was the most commonly impersonated brand in Windows-based financial phishing scams, while Apple was the most frequently mimicked brand in Mac-based scams.
The findings complemented a separate, fourth-quarter Phishing Activity Trends Report published Thursday by the Anti-Phishing Working Group (APWG), which identified more phishing attacks in 2016 than in any year since it began monitoring the practice in 2004. The APWG observed a 65 percent increase in phishing incidents in 2016, with phishing activity in the fourth quarter higher than during any period in 2015.
Banking Malware Makes a Comeback
After noting a significant decline in desktop malware attacks targeting financial data in 2014 and 2015, Kaspersky observed a major turnaround in 2016, as financial attackers executed a quarter-million more banking trojan attacks than they had launched the year before.
According to the report, this increase means that “although professional cybercriminal groups shifted a lot of their attention to targeted attacks against large companies, including banks and other financial organizations, smaller groups of criminals are continuing to target victims with the help of relatively widespread malware, which is available on the open web.”
In fact, while the number of attacked individual users and corporate users both increased, individuals actually comprised an even larger share of total attacks in 2016 (about 82.8 percent) than they did in 2015 (about 78.5 percent). Corporations were attacked about 17.2 percent of the time in 2016, compared to roughly 21.5 percent of the time in 2015.
The Zbot banking trojan family remained most popular among cybercriminals in 2016 – used in 44.1 percent of banking malware attacks observed by Kaspersky, compared to about 58.2 percent of attacks in 2015. The Gozi trojan, used in approximately 17.2 percent of these attacks, ate into Zbot’s share, while use of Tinba fell markedly, from 20.7 percent of attacks in 2015 to only about 3.5 percent in 2016.
More than half of the users targeted in desktop banking malware attacks during 2016 were based in 10 countries, including Russia (19.8 percent) and Germany (14.9 percent). U.S. users saw the sixth most attacks of this nature, as the country’s overall share of such attacks shrank from about 4.2 percent in 2015 to roughly 3.3 percent last year.
Kaspersky noted a dramatic 430 percent year-over-year increase in Android banking malware incidents, after more than 305,000 users were attacked in 2016. While only 3,967 users were attacked in January, incidents quickly skyrocketed, peaking in October with nearly 75,000 attacks before falling off sharply.
Kaspersky attributed the sudden spike to a pair of key developments in the mobile malware world: attackers began distributing the malware Asacub via SMS, while other bad actors started to distribute the Svpeng trojan through the Google AdSense advertising network.
Ransomware attackers are getting more aggressive, destructive, and unpredictable.
RSA CONFERENCE 2017 – San Francisco – The data-hostage crisis isn’t going away anytime soon: In fact, it’s starting to get a lot scarier and destructive, and with a more unpredictable outcome.
Security experts long have warned that ponying up with the ransom fee only plays into the hands of ransomware attackers; it doesn’t necessarily guarantee victims get their data back and unscathed, even though most of these bad guys thus far honor their promise of decrypting hijacked data after they receive their payment. Ransomware is rising dramatically, growing by a rate of 167 times year over year, according to SonicWall, with some 638 million attack attempts in 2016, up from 4 million the previous year. Kaspersky Lab data as of last October shows there’s a ransomware attack every 40 seconds.
James Lyne, global head of security research at Sophos Labs, warns that ransomware attacks are starting to become more of a no-win for victims, as some attackers are also now stealing the data they encrypt for further monetization, destroying it altogether, and even waging subsequent attacks on a victim. The attackers are more sophisticated with their encryption methods, and more aggressive, instituting tighter payment deadlines and including organized-crime style threats that sound more like a physical hostage negotiation, he explains.
He describes their brazen demands and attacks as a “shock-and-awe” approach that’s catching fire among cybercriminals hoping to more efficiently strong-arm their victims and potentially cash out more quickly.
“We’re seeing more and more inclusion of a timer” and a warning that the victim has X amount of time to pay the ransom or the attackers will begin to delete the files, or purge the data entirely, he says. In one attack Lyne investigated, the attackers warned the victim if he or she balked at payment or contacted law enforcement, they would delete the keys for decrypting the data so it wouldn’t be retrievable at all.
“Not even the cybercriminals can recover the data” then, he says.
“It irrevocably shreds them. You’re not going to get the data back even if you go to a forensics specialist,” Lyne says. “They’re starting to move toward a more aggressive approach of ‘hand over the money more quickly.'”
“It’s a really interesting tactic because it invokes panic in the user” so they are afraid to talk to tech support for help, he says.
Reinfection is also becoming a trend, where attackers who have successfully forced a victim to pay up to get their data back later target the same victim multiple times. “Traditional blackmailers know if someone pays once, they are probably going to pay again,” he says.
Lyne plans to show such case of a repeat attack during his RSAC session entitled Reversing the Year: Let’s Hack IoT, Ransomware and Evasive Payloads. “I’m going to show an example of where they got infected and the user pays, cleans up, and the attacker waits a period of time before doing the exact same thing again,” he says.
So the days of cleanup post-ransomware infection meaning the event is over may soon be gone. Variants such as Ranscam actually erase the victim’s files after promising to relinquish the files after the ransom is paid. The Ranscam attackers basically fool the victim into thinking the data is retrievable; they didn’t even invest in encryption, so it’s a rather evil but ingenious way to wage a low-cost, high-return attack, according to Cisco’s Williams.
Lyne says another big worry is ransomware attackers pilfering the data they locked for future monetization after the victim pays up. To date, most ransomware attacks have been opportunistic rather than targeted, even though industries such as healthcare and law enforcement have been among the hardest hit.
“In truth, most of these we’ve heard of weren’t targeted … the samples I look at have no example that they targeted specific types of businesses,” he says.
Even so, he’s seeing ransomware attackers stealing credentials and other potentially valuable data from their marks. “It encrypts your data, you pay money to get it back and it then nicks your data” as well, says Lyne, who will demonstrate one such attack here.
“It’s not widespread … but it’s something people need to be aware of now,” he says. “You can’t just pay money and consider the incident over.”
Another thing to watch for: ransomware targeting databases, which indeed is a sign of fishing for valuable data.
Headless But Deadly
Another sign of the times with the ransomware boom is campaigns that are abandoned by the attackers but still spread to victims, leaving them stranded with encrypted data and no ransom payment option. “We see this quite a lot,” Lyne says, and it tends to be lower-level, older variants such as Vipasana and Satana, and campaigns where the email or payment contact channel are shut down. “Now there’s ransomware floating around that’s shredware: there isn’t a way to get your data back,” he says.
Craig Williams, senior technical leader and security outreach manager for Cisco Talos, points to CryptoWall 3 as an example of this: “When it was abandoned, it stopped working and there was no key exchange,” which made it benign, he says.
The Talos team was seeing 130,000 ransomware samples per day in December of last year.
With the newer generation of more sophisticated and businesslike ransomware, more of the old-school rudimentary variants are likely to be scrapped in favor of more effective attack tools. Even so, the phishing emails and other ransomware-rigged places will still infect users. “This is a sign of things to come. So you should prepare,” Lyne says.
Meantime, ransomware variants such as Samsam, which included a self-propagation feature that let it spread like a worm, rather than just via email or malicious web content. Worm-like ransomware spreading could infect more victims more quickly, Cisco’s Williams says.
Be Prepared Or Prepare To Lose Data
The best defense from ransomware is preparation: expect the worst, and run regular backups. “Have a backup that works, one that’s not constantly connected to your computer such that you end up with an encrypted backup that’s also infected with ransomware,” Lyne says. There are even ransomware variants that target backups, so offline data backups are the best bet.
Cloud-based backups can be helpful as well, Cisco’s Williams says. “Don’t put your eggs in one basket … Have unique usernames and passwords” for those types of services, he says