6 months under siege: the malware story so far in 2017
Article by threat intelligence group manager at Check Point, Maya Horowitz
If 2016 was a bad year for malware, with ransomware attacks more than doubling during the year, the picture got even worse during the first six months of 2017.
The percentage of ransomware attacks globally nearly doubled again compared to the first half of 2016. Major disruption was caused by a wide range of malware families, distributed by unknown threat actors. Thanks to the theft of cyberattack tools developed by several nations’ government agencies, sophisticated malware and exploits have ended up in criminals’ hands.
What’s more, ransomware has affected not just businesses but public infrastructure and medical facilities around the world, with global ransomware attacks in EMEA nearly double those detected in the same timeframe last year. It’s an insidious – and complex – picture.
However, it is possible to draw out four major trends as to how malware attacks have grown and evolved during the first half of 2017 – and from these, draw some lessons on how organisations can better protect themselves.
Trend #1: nation-state cyber weapons are freely available to criminals
In March, thousands of documents detailing the CIA’s efforts and methodologies for hacking into iPhones, Android devices and Smart TVs, were released. It was the first in a series of enormous data dumps involving a combination of nation-state hacking tools and wide scale zero-day vulnerabilities, which in turn enabled criminals to carry out attacks with a level of sophistication not seen before.
Consider the Shadow Brokers threat group releasing a dump of NSA exploits and hacking tools in April. This was a major data leakage incident in itself, and also contributed to the exceptional lateral movement capabilities of the WannaCry ransomware the following month, which impacted a large proportion of public and civil facilities worldwide. The same NSA capabilities were reused in NotPetya – another global attack which had a major impact on Ukrainian organisations, taking down entire networks.
We can see, then, that threat actors are extremely efficient at learning from previously-successful attack types. The key takeaway for users is that all cyber threats are related, regardless of where they originate.
Trend #2: adware is becoming malware
Adware, which automatically displays or downloads advertising material on an infected machine, tends to be seen as an annoyance rather than a major cybersecurity threat. But this perception is changing fast.
For example, Fireball is a browser-hijacker primarily meant to push advertisements – but, crucially, it can also execute any arbitrary code on its victim’s machine. 19.7% of organisations globally were affected by it in the first half of 2017.
Another angle to the adware issue is the rise of mobile adware botnets, which have continued to expand. HummingWhale, a new variant of the infamous HummingBad malware; Judy, an auto-clicking adware which might be the largest malware infection ever on Google Play; and CopyCat, which infected 14 million Android devices, have all been significant players in the mobile malware landscape this year. As a result, we need to fundamentally change our approach to adware, especially those owned by massive, seemingly-legitimate organisations.
Trend #3: macro-based downloaders are evolving
Delivery methods for malware are evolving too. Microsoft Office files can now be exploited without requiring victims to ‘open the front door’ by enabling macros in the files. When activated, these download and execute a malicious payload including Remote Access Trojans (RATs) and ransomware. This method is particularly insidious, because by activating the macro, users are ‘inviting’ malware onto their PCs, bypassing conventional anti-virus.
Trend #4: a new wave of mobile banker malware
Mobile malware has become a favoured specialist tool of cybercriminals, and as trends like the Internet of Things, mobile and remote working and smartphone and tablet ownership increase, it is an increasingly profitable line of attack.
Adware campaigns have always been hidden away in Google Play, but now a new wave of mobile bankers, most of which belong to the BankBot family, have managed to infiltrate the app store and infect users. This is an alarming development, with the perpetrators combining open sourced banking malware code with complex obfuscation techniques to successfully and repeatedly bypass Google’s app store protections.
These four broad trends illustrate just how diverse and dynamic the malware threat landscape is. Sophisticated malware families – and even simple ones with smart delivery mechanisms – are achieving global distribution. Massive botnets spread throughout the globe are the engines behind this spread, distributing newer malware, mostly ransomware and banking malware, with the aim of getting cash from victims, by extortion or stealth.
It’s better to prevent than cure
However, it is important to realise even highly sophisticated malware attacks can be neutralised and even prevented outright with relatively simple cybersecurity tools and processes. Network segmentation, for example, is easy to implement – it’s a basic principle of intelligent network architecture – but it is incredibly effective at preventing that damaging lateral movement.
Threat emulation, or sandboxing, helps identify new and unknown malware, for which ant-virus signatures do not yet exist. Threat extraction works together with emulation, to remove potentially malicious content from files received by email and blocking the use of macro-based downloaders.
Even sophisticated ransomware can be blocked using a specialised endpoint agent, which utilises behavioral analysis to identify the earliest signs of a ransomware infection before it starts encrypting data. If indicators of compromise are detected, the solution takes 'snapshot' images of targeted files in real time, while simultaneously quarantining and terminating the ransomware. Even if the ransomware was able to encrypt a small number of files during the detection phase, the solution automatically restores the files from a secure repository of file snapshots on the endpoint.
These techniques focus on preventing malware taking a hold on users’ devices or networks – which is the only way to ensure effective protection for organisations’ networks. As we’ve seen with the current generation of ransomware, trying to remediate the damage after the infection has taken hold means that you’ve already lost the battle. By understanding emerging threats and implementing the latest prevention technologies, organisations can create a solid security defensive posture.
Only time will tell how the malware landscape will evolve over the rest of this year. Criminals are constantly introducing new types of malware, or refreshing existing malware agents with new tricks. But with the right preventative approach, organisations can ensure that they won’t fall for those tricks again.