You just can't keep a piece of ransomware down, according to FireEye's new report. Released today, the report outlines ransomware's relentless forward march deeper into the world's computers.
Among the toplines is the seemingly inescapable conclusion that ransomware is once again up. In fact, the pesky species of malware achieved a remarkable upswing during the last half of 2015. Between October and November, the use of ransomware shot up by nearly 20 percent.
What's more is that old favourites like Cryptolocker, Cryptowall, CTB Locker and Kryptovor, though all long recognised, still pose persistent threats to people and businesses alike.
Jens Monrad, systems engineer at FireEye, told SCMagazineUK.com, “We don't expect this to decrease in any way.” Perhaps part of the reason for not only this upswing but the infuriating and persistent rise in popularity that ransomware has enjoyed over recent years is mere capitulation.
Monrad thinks that one of the reasons is that “we are seeing victims exploring the path of actually paying the ransom”.
The main driver, added Monrad, “from a cyber-criminal perspective, is that this is an ecosystem that is working”.
In fact, one of the unfailing laws of capitalism is economy of development. It's “still a very attractive model for cyber-criminals”, Monrad believes, because it's cost effective. “It is one of the malware families with the shortest development lifecycle," he said.
Quite simply, cyber-criminals “don't have to put that much effort in” to get large rewards.
On the face of it, Ransomware is not too complex. Upon infection, it encrypts the files of users and charges the unlucky victim to un-encrypt. The underlying architecture of such pieces of ransomware, though, tends to be very complex indeed and as the report notes, ever-evolving.
Greg Day, CSO for EMEA at Palo Alto Networks, thinks a response will take a little more complexity. He told SC, “To change this dynamic, we have to move beyond the current attack or campaign to identifying and blocking the underlying architecture required to succeed. By detecting and blocking the underlying architecture, as well as the actual attack, it is possible to have more systemic impact.
"We see through experience that new campaigns and variants of ransomware can take as little as just a few minutes to create. Rebuilding the underlying architecture for compromise, communication and money transfer typically takes weeks and months.”
FireEye's report, which has been published every six months since 2014, collects data from FireEye's Dynamic Threat Intelligence Cloud, a network of Fireye products which collects masses of data from FireEye customers. Among its pages are a number of other noteworthy findings.
While the UK dropped from first place to number six in FireEye's list of most targeted countries, this is probably a better reflection of the heating tensions in those further up the list.
In fact, the UK retained its proportion of advanced threats, nine percent, but was eclipsed by the geopolitically tumultuous landscape of Turkey, which suffered 27 percent of advanced threats.
In fact, the amount of attacks targeting Turkey pretty much eclipsed all other rivals. In terms of exposure to advanced threats, Turkey was targeted twice as often as its second place rival, Kuwait.
What we see in the real world, “seems to be mirrored in the cyber-world,” Yogi Chandiramani, senior SE director for FireEye in the EMEA, told SC, elaborating on how the kinetic's world problems are often litigated in the cyber-realm.
In fact, Chandiramani added, governments being targeted seems to be becoming “almost a norm”.
Coming with changes in the markets over the last half of 2015, a large increase in advanced targeted attacks was visited upon the financial sector. The report notes, “We have observed a surge in the number of unique detections for the financial services industry, suggesting that cyber criminals view the region as ripe for their nefarious activities.”
The number of detected advanced targeted threats tripled in the second half of the year, compared to the first. FireEye's report speculates that such a large rise may have resulted from threat actors gaining “access to confidential information for financial gain or to understand changes happening with the European financial situation".
Monrad told SC that while cyber-criminals may be launching advanced threats to “hijack large transfers of money and funds”, financial institutions “also hold a rich set of information regarding mergers and acquisitions” which could potentially be used as information for insider trading.