It’s a war out there in the Cyberworld… and it’s only getting worse. Hopefully, this is not news to you. According to Kaspersky Labs, 58% of corporate PCs were attacked with at least one Malware attempt, 29% were exposed to an Internet-based attack (much higher if you’re part of a government) and a huge rise in the number of attacks targeted against Droids and IOS devices in the growing market to steal data from employee’s mobile devices. This doesn’t even the address the 41% of attacks from the insider threat, both the intended and unwitting employees, that use infected USB sticks or other removable media.
One of biggest malware threats on the rise in 2015 is what’s called ransomware or otherwise known as cryptolockers. None of the typical platforms: Windows, Mac, and even Linux devices/servers are immune to this kind of attack. Ransomware is a type of malware that prevents users from accessing their files or system—predominantly by encrypting the victim’s files. By this, cybercriminals are leveraging the victims locked date to force the victim to pay a ransom in order to regain access to their data or risk having the crypto key deleted if payment is not met. The latest variation of ransomware is the Crypto Wall malware which scrambles the filenames on infected computers, making it even more difficult for victims to recover their data without securing the key from the attackers.
Depending the on the victim and the data involved, another ransomware tactic, known as Chimera, threatens to publish the data of any uncooperative victim—business or private consumer—to the Internet. The tactic, which is currently aimed at German targets, demands the payment of more than AUD $1100, according to German cybersecurity site Botfrei, which reported the initial attack.
“To frighten the user even more, the message indicates the threat to publish personal data and pictures somewhere on the internet – if user doesn’t pay the bribe,” states Botfrei’s analysis of the attack.
In August of 2015, Dell Secureworks researchers reported that more than 600,000 computers had been infected by CryptoWall, one of the most widespread ransomware programs, where victims have already paid millions in both 2014/2015.
Although corporations will always be targets, Small and Medium Business’ (SMBs) are increasingly seeing this type of attack as they are less likely to have sophisticated security or even data backups which leaves them vulnerable to extortion tactics. Educating staff to be on the lookout for suspicious emails has in the past been a great mitigation, however, cybercriminals have stepped up their game with the use of resumes, customer orders, postal service notifications, telecommunication companies, utilities, and government entities as a lure to open and click on malware. Another ransomware program known for its social engineering tactics, TorrentLocker, is becoming very well known in the community. A recent consumer focused attack employed the use of bogus speeding fines sent by the Australian Federal Police (AFP) in Australia,” the anti-virus vendor, Trend Micro researchers said. “However, most of the lures are compatible with business targets, such as parcel notifications, which are an important part of a small business’ day-to-day activity. In short, TorrentLocker targets both consumers and SMBs.” Another indicator that SMBs are the primary target is that ransomware campaigns are timed to coincide with the start of the work day in different regions. According to Trend Micro’s data, most people click on the malicious ransomware links between 9am and 1pm when normally at work.
Cybercriminals are also increasingly adding detection evasion techniques. For example, they’re using legitimate, but compromised websites to redirect users to their landing pages. They’re also adding CAPTCHA tests to their spoofed sites in order to block automatic crawlers or security sandboxes from catching the malicious payloads. Not something the average user would note or consider suspicious. Some recent TorrentLocker versions even have self-destruct capabilities to prevent IT staff from collecting samples from infected systems.
“We believe that ransomware will continue to improve its tactics and target more business environments,” the Trend Micro researchers said. Simple things like verifying the source of emails and the reputation of websites before visiting them can go a long way to prevent ransomware infections. However, the importance of conducting weekly backups ups cannot be stressed enough to avoid such an attack on your data.
Although the overall number of threats remain low, 2015 marked an all-time high for malware attacks from cybercriminals against IOS devices which has been trending upwards over the last five years. Traditionally, these malware attacks came from connecting to infected desktops, but an even larger trend is coming from jailbroken devices which leaves the mobile device vulnerable since users have access to third-party app stores which may include applications with backdoors or other malware from unscrupulous vendors . IOS devices are also vulnerable to applications coming from unverified sources, and the XcodeGhost malware designed to inject malicious code into both iOS and Mac OS X applications. According to Symantec, nearly 70% of iOS threats documented to date are aimed only at jailbroken devices. On the Droid side of the house, Symantec has seen several variants of a known ransomware family (Android.Lockdroid.E) that were developed on Android devices using the Android integrated development environment (AIDE). The surge in adoption of these new development techniques has been limited to a small subset of Android ransomware groups. However, the ability to create malware on mobile devices may open up new avenues in the future creation of malware.
The goal, understandably, is to stay protected. We can do that by installing robust security suites (i.e. Symantec) and keep them updated. Keep up with operating systems updates and at all costs avoid jailbreaking mobile devices. When downloading or installing applications to desktops, laptops, and mobile devices, ensure that you’re using only reputable sources. Although they’re getting harder to detect, do not open suspicious emails (phishing attacks) and if you happen to do so, don’t click on the link inside the email. Additional steps can include, disabling your Java, which is one of the most popular attack strategies for many cybercriminals. Beyond these essential steps, organizations should extend their analytical efforts. Traditional perimeter security measures often do not protect against many drive-by attacks, which unless you have the absolute latest and greatest anti-virus programs the malware is often not recognized by the Anti-Virus program. To limit the risk of a drive-by malware attack planted on their websites, organizations should monitor the payload of their different Internet properties, which for larger organizations can be a huge undertaking. By doing so, it is possible to detect early indicators of an ongoing attack and have enough advance warning to mitigate the threat. Since drive-by attacks are only one of many attack techniques, payload data monitoring should be part of an organization’s continuous diagnostics program. Another possible way for your security team to mitigate other drive by attacks is to limit access with web categorization and web reputation. With web categorization security administrators can set policies to allow only certain categories of web sites to be accessed. Web reputation assigns a reputation score to a URL based on a variety of data, including the length of time the domain has been malware-free, so you can set policies about whether or not a link can be accessed based on tolerances.
Because some sophisticated attacks may get through, you need advanced malware protection that includes retrospective security. Retrospective security continues to track files and analyse their behaviour against real-time, global threat intelligence. If a file is later identified as malicious, retrospective security can also determine the scope of the attack so that a security team can quickly mitigate the threat.
How can you stay ahead of emerging threats?
The best way to protect your business against emerging threats is by having NST take care of your business security needs. To identify threat trends, you need to have visibility into data across a community. In this case, the ability to look at email and network security telemetry from a community of users together with other sources that track threats can give you the intelligence and lead time you need to proactively protect against emerging outbreaks. Look for vendors such as NST that will include outbreak filters within their email security architecture and can leverage collective security intelligence to develop protections in real-time against new outbreaks.