There are few worse ways to start the new year than scrambling to recover urgently needed files encrypted by ransomware. Unfortunately, the chances of that happening in your organization only seems to be growing. What’s more, although ransomware infections are arguably the most publicized, they’re not the only types of malware poised to pounce in the Year of the Rooster.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles” – Sun Tzu
In this post, we help you prepare for this year’s wave of malware attacks by identifying which types of malware are most likely to hit your organization.
Easily the most disruptive, and publicized malware of 2017, ransomware is positioned to become a much bigger threat. Ransomware cyber crooks raked in no less than $1 billion last year. The amount of profit that can potentially be earned from this type of malware is enough to attract even more cyber criminals.
A ransomware attack is typically characterized by files or entire systems being held captive, usually through encryption, and freed only after victims pay up, usually through Bitcoin. While most victims are individuals, there were many instances when infections managed to spread throughout an organization and crippled entire networks, like in the case of the Hollywood Presbyterian Medical Center and San Francisco’s Municipal Transport Agency (a.k.a. Muni).
It’s easy to see why launching ransomware attacks is a lucrative business model. A large number (if not most) of victims are willing to pay.
If it weren’t ransomware up there in number 1, it would most likely have been IoT botnets. Last year, we witnessed some of the largest DDoS attacks of all time. Some of these record-breaking attacks were launched not through typical zombie computers, but rather, through botnets of IoT (Internet of Things) devices.
Many of these attacks were carried out by a single botnet known as Mirai. Unfortunately, the source code of the Mirai malware was shared to the hacking community, setting into motion separate initiatives for the development of Mirai-like offspring. As more cyber gangs gain access to the code, the likelihood of new and improved versions of the malware is likely.
IoT adoption has started to go mainstream. If Gartner’s predictions were accurate, 43% of organizations ended up implementing IoT technology by the end of 2016. With even more companies planning to use IoT and several IoT vulnerabilities still waiting to be plugged, criminals are going to have a massive source of vulnerable devices at their disposal.
Extra cautious exploit kits
When the Stegano Exploit Kit was exposed last December, a lot of the attention was focused on how it used steganography to avoid detection. Although steganography certainly contributed to its avoidance capabilities, there was an even craftier mechanism working behind the scenes.
Before Stegano EK would proceed with each attack, it would first verify whether any monitoring or security product was present. If it found one, it would promptly retreat. It did this twice, in fact. First, before redirecting the browser to the exploit kit’s landing page, and secondly, before dropping the payload. This, as much as its use of steganography, allowed Stegano to avoid detection for so long.
By being extra cautious and extra selective of its targets, exploit kits like Stegano might not be able to infect as quickly as others, but it does enable them to remain in existence much longer. As is often said, the biggest malware infections are most likely the ones that have yet to be uncovered.
Android continues to dominate the mobile market, as well as the mobile malware market. The Android platform has long been plagued with vulnerabilities. Google released a massive security update that aimed to address 108 vulnerabilities in Android. Security researchers discovered what is now known as the Switcher Trojan, malware that infects Android devices and uses them to attack routers, altering the router’s DNS settings and rerouting DNS queries to attacker-controlled networks.
Smartphones contain mountains of confidential information, including passwords, credit card data, and a large collection of personal details. In many cases, particularly in BYOD environments, smartphones even contain company-owned data. The amount of valuable information that can be stolen from smartphones makes them a prime target for identity thieves and cyber criminals of all stripes.
Malware distributed through malvertising
The types of malware dropped through malvertising campaigns can vary substantially. Some drop spyware, some keyloggers, others ransomware, etc.
Malvertising often infects through drive-by downloads. This method of infection doesn’t require any deliberate action from the victim, making it particularly dangerous. The victim doesn’t have to click, download, or install anything. As soon as the victim lands on a web page serving a malicious or compromised ad, the victim will be automatically redirected to a malicious server.
That server can then download an exploit kit that will, in turn scan for vulnerabilities and subsequently drop the payload. All this happens in the background, without any hint to the user of it taking place. The level of obscurity achieved by drive-by downloads makes malvertising a very compelling means of attack.
In addition, some cyber crooks manage to hijack ad networks, enabling them to display their malvertising on multiple legitimate, high-traffic websites. In this way, even those individuals who take care to avoid sketchy websites can still be victimized.
Not so long ago, banking trojans and botnets towered over the malware landscape. The first piece of malware that comes to mind is Zeus/Zbot, a trojan that became the foundation of what has now evolved into the Zeus malware family. This trojan primarily stole banking information through man-in-the-browser keystroke logging and form grabbing.
Malware developers built on top of Zbot to create even more sophisticated malware. One of Zbot’s offsprings is Gameover Zeus, a notorious botnet that infected over a million users around the globe. It stole login credentials and credit card data, which were later used to carry out banking fraud. Other descendants of Zbot include SpyEye, Ice IX, Citadel, Carberp, Bugat, and many others. Banks won’t be going away anytime soon, and while they’re here, they’ll always be a prime target for cyber criminals.
Point of Sale (POS) malware
Closely related to banking malware, in the sense that it also steals credit card and debit card information, POS or Point of Sale malware targets POS terminals. POS devices are simply specialized types of computers and actually run on operating systems like Windows, Unix, or Linux, making them just as vulnerable to malware as a traditional computer.
These terminals often process hundreds or thousands of transactions per day and thus store a ton of payment card data. Much of this data finds its way to hacking forums where it can be bought for identity or credit card fraud.
POS malware has become more popular than manual methods like skimming, which requires the installation of a device on the POS terminal. Skimming is time-consuming, and riskier for criminals since they have to be physically present in order to install the device.
Some of the more notable companies that were attacked in 2016 through some kind of POS malware include Wendy’s, Cici’s Pizza, and Rosen Hotels and Resorts. Of course, the most highly publicized attack involving POS malware happened a couple of years ago; the infamous Target data breach involved millions of credit and debit cards.
Like banks, credit cards aren’t going away. While e-commerce and online shopping is on the rise, most credit card transactions still happen in grocery stores, restaurants, and other brick-and-mortar establishments. As such, POS malware will continue to thrive