Ransomware continues to grow rapidly, warns McAfee Labs, the threat research division of Intel Security.
Malware designed to lock up businesses’ data and demand ransom increased by 58% in the second
quarter of 2015, according to the McAfee Labs Threats Report: August 2015.
The total number of ransomware samples is also up, by 127% compared with the second quarter of 2014, the report said, attributing the increase mainly to rapidly-growing new ransomware families such as CTB-Locker and CryptoWall.
“Ransomware attacks have also become easier than ever to carry out because of crimeware services that provide attackers with user-friendly graphical user interfaces or consoles to customise attacks,” said Raj Samani, chief technology officer for Europe at Intel Security.
“No technical knowledge is required. All attackers have to do is fill in the email addresses they want to target and wait for the money to come rolling in,” he told Computer Weekly.
Research has shown that relatively low-cost ransomware attacks typically net thousands of pounds a week for attackers as companies pay ransoms in bitcoin for the decryption keys to unlock their data.
“But most ransomware attacks can be avoided through good cyber hygiene and effective, regular data backups that are continually tested to ensure they can be restored if needed,” said Samani.
Companies can also limit the impact of ransomware attacks by exercising good governance and ensuring that users have access only to the shared drives they need to do their jobs.
“Our recommendation is that businesses need to be proactive because the decryption keys are not always provided when ransoms are paid and being proactive is often easier and less costly than a reactive approach,” he said.
By paying ransoms, Samani said companies should recognise that they are contributing to cyber crime by supporting those responsible for it.
While the total number of mobile malware samples grew 17% in the quarter, the report notes that mobile malware infection rates declined by about 1% in all regions except North America, which dropped almost 4%, and Africa, which was unchanged.
“The decline in mobile infection rates can be attributed in part to increasing security maturity, the deployment of more mobile security controls, the clean pipe approach by internet service providers, and the tendency of some attackers to avoid North America out of fear of investigation by the FBI,” said Samani.
Researchers found that the trend of decreasing botnet-generated spam volume continued through the quarter, with the Kelihos botnet remaining inactive.
“Despite international efforts to take down botnets, they still appear to be one of the most prevalent forms of infection, but businesses could be doing more to protect themselves by using the removal tools being produced by security firms,” said Samani.
“When the Beebone botnet was taken down in April, we estimated that there were about 36,000 infections a day, but despite releasing a free removal tool along with a number of our competitors, the infection rate is still around 34,000 a day, which is a decrease of just 6%.”
According to Samani, protection is available against many of the top botnets, but infections continue to be high because organisations are failing to tap into the resources available.
“Businesses and consumers still do not pay sufficient attention to updates, patches, password security, security alerts, default configurations and other easy but critical ways to secure cyber and physical assets, which is all part of basic good cyber hygiene, which should be the foundation for every business,” he said.
Suspect URLs remained a significant threat, with more than 6.7 million attempts made every hour in the quarter to entice McAfee customers into connecting to risky URLs via emails and browser searches.
The researchers also observed that more than 19.2 million infected files were exposed every hour to McAfee customers’ networks in the quarter, and 7 million potentially unwanted programs attempted installation or launch every hour on McAfee-protected networks.
The report probes three proofs-of-concept (PoC) for malware exploiting graphics processing units (GPUs) in attacks.
While nearly all of today’s malware is designed to run from main system memory on the central processing unit (CPU), these PoCs use the efficiencies of these specialised hardware components designed to accelerate the creation of images for output to a display.
Read more about ransomware
- Criminals use devices compromised for click fraud as the initial step in a chain of infections leading to ransomware attacks, warns security firm Damballa.
- Symantecsecurity researchers have discovered crypto-ransomware styled around the US television series Breaking Bad.
- The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
- The CryptoLocker ransomware caught many enterprises off guard.
The scenarios suggest hackers will attempt to leverage GPUs for their raw processing power, using them to evade traditional malware defences by running code and storing data where traditional defences do not normally watch for malicious code.
Reviewing the PoCs, Intel Security said that moving portions of malicious code off the CPU and host memory reduces the detection surface for host-based defences. However, researchers argue that, at a minimum, trace elements of malicious activity remain in memory or CPUs, allowing endpoint security products to detect and remediate threats.
As well as detailing current and emerging threats, the report also reviews the past five years of hardware and software threat evolution since Intel announced the acquisition of McAfee in August 2010 in a $7.7bn deal.
According to the report, an important focus of the acquisition was shifting security technology to silicon. Samani said this is because the ability to put security into the software layer on mobile devices, digital oilfields, lifts and other devices making up the internet of things is technically challenging and costly.
“As we rely increasingly on machine-to-machine interaction, we need to move to the concept of a hardware root of trust,” he said, predicting that this will become increasingly necessary as critical national infrastructure becomes more connected and hackers begin to use more firmware-based attacks.
Another top trend in the past five years noted in the report is the emergence of evasion techniques being developed by attackers.
“The Beebone botnet was a good example of this because we found that it could change and modify itself up to 35 time a day to evade detection, and so is the Regin malware, which was discovered only 15 years after it had been developed and introduced into the wild,” said Samani.
What all this underlines, he said, is that cyber crime has grown into a fully-fledged industry with suppliers, markets, service providers, financing, trading systems, and a proliferation of business models.
“Attackers no longer need any technical knowledge or skills because everything they need is available in the form of relatively inexpensive and easy-to-use exploit kits and services,” said Samani.
The report also noted that although the volume of mobile devices has increased more rapidly than expected, serious broad-based attacks on those devices have grown much more slowly than expected.
Cloud adoption has changed the nature of some attacks in the past five years, the report said, as devices are attacked not for the small amount of data they store, but as a path to where the important data resides.
The report said the discovery and exploitation of core internet vulnerabilities such as Heartbleed has demonstrated how some foundational technologies are underfunded and understaffed.
On a positive note, the report said there is growing, positive collaboration between the security industry, academia, law enforcement and governments to take down cyber criminal operations.
Vincent Weafer, senior vice-president, Intel Security’s McAfee Labs, said: “We were impressed by the degree to which three key factors – expanding attack surfaces, the industrialisation of hacking, and the complexity and fragmentation of the IT security market – accelerated the evolution of threats, and the size and frequency of attacks.
“To keep pace with such momentum, the cyber security community must continue to improve threat intelligence-sharing, recruit more security professionals, accelerate security technology innovation, and continue to engage governments so they can fulfil their role to protect citizens in cyber space.”