While you were watching ransomware...
While everyone was worrying about ransomware, attackers successfully changed tactics and switched to adware.
It’s been a busy month or two for ransomware and, in spite of recent reports that CIOs haven’t responded particularly dynamically, it appears that a fair number of attackers assumed they would, and have changed tactics to suit.
The latest Global Threat Impact Index by Check Point has revealed that the top two malware families were both malvertising-based, followed by the aged but ever-present Slammer worm, pushing ransomware in any form into 4th place. Luckily for the 50 per cent of CIOs who planned not to respond to raised ransomware concerns.
Leading the board is malware dubbed ‘Roughted’, which hit 28 per cent of organisations globally during June alone. The malvertising campaign is used to deliver links to malicious websites and payloads such as scams, adware, exploit kits and ransomware. The campaign began to spike in late May before continuing through June, eventually hitting organisations in 150 countries, mainly in the education, communications, and retail and wholesale sectors. Its main evil genius lies in the hijacking of ad networks to spread the payload, removing the need for the attackers to maintain a distribution infrastructure, rather leveraging the highly resilient and optimised ad delivery networks.
In second place, further cementing the swing away from ransomware, sits Fireball, a browser-hijacker that can be turned into a full-functioning malware downloader, which impacted 20 per cent of organizations in May, but declined sharply, affecting only 5 per cent of businesses in June. Fireball not only conducts standard click-fraud and query redirection, but is also capable of executing any code on the victim machines, making it potentially much more dangerous than a basic adware/malvertising tool.
Fairly astonishingly, the venerable Slammer worm was the third most common malware variant, impacting 4 per cent of organisations. “The wide variety of attack vectors being utilised in this month’s index serves as a reminder to organizations that they need to ensure their security infrastructures robustly protect them against all tactics and methods used by cyber-criminals”, said the company.
Ilia Kolochenko, CEO of High-Tech Bridge, believes that regardless of the dip last month, ransomware is here to stay, unfortunately: “Ransomware is about business, not about technology. All the components for ransomware (e.g. encryption mechanisms, exploit packs, etc) have existed for many years. However, with the ransomware approach, victims have no other simple way to get their data back other than to pay. Reliability and certainty of payment makes ransomware especially attractive for cybercriminals.”
He also makes the point though that corporate website compromise, by any means, is one of the major aims of an attacker - whether as a chained compromise of the wider corporate network, or a more targeted campaign: “In the past, hackers used one-off or garbage websites to host malware, but as corporate users become more educated and vigilant, attackers need to find more reliable avenues to deliver malware and enter corporate networks. This is why Gartner, and other independent research companies, continuously say that the risk of corporate web applications is very high and seriously underestimated…”
The moral of the story is that focusing too much on any one threat or vector is going to lead to trouble of the worst kind.
Top 10 ‘Most Wanted’ Malware according to CheckPoint
- RoughTed – Large-scale malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware.
- Fireball– Browser-hijacker that can be turned into a full-functioning malware downloader.
- Slammer – Memory resident worm targeted to attack Microsoft SQL 2000.
- Cryptowall – Ransomware known for its use of AES encryption and for conducting its C&C communications over the Tor network.
- HackerDefender – User-mode Rootkit for Windows.
- Jaff – Ransomware which began being distributed by the Necurs botnet in May 2017.
- Conficker – Worm that allows remote operations and malware download.
- Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware.
- Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
- Rig ek – Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer.