At the end of 2015, we predicted that 2016 would be the Year of Online Extortion. In only six months, January to June of this year, we saw how cybercriminals were able to ramp up their extortion efforts, using ransomware to target companies including medium to large enterprises.
Ransomware dominates the threat landscape
Ransomware continues to grow as a prevalent threat . The number of new ransomware families we saw in the first half of 2016 alone has already eclipsed the total 2015 volume by 172%. With ransomware attacks becoming more and more sophisticated and prevalent, we believe that the threat will potentially cause more damage going into the second half of the year.
Monthly number of Ransomware families added
New ransomware families we detected exhibited both new propagation and extortion techniques. JIGSAW deletes encrypted files whenever victims fail to pay the ransom on the given deadline. Similarly, SURPRISE increases the ransom every time victims miss a deadline.
Our findings also revealed how some ransomware families were designed to target specific business-related files. SURPRISE and POWERWARE, for example, encrypt tax return files.
Organizations can lessen the risk of ransomware infections through virtual patching, and investing in multilayered security solutions and tools that leverage file, web, and email reputation. They should also educate their employees about the threat as well as the proper handling of suspicious emails and documents.
BEC scams spread globally, top positions targeted
Business email compromise (BEC) schemes are another form of online extortion that is a major threat to businesses. These scams rely on deception and simple human error rather than sophisticated malware. Cybercriminals directly send socially-engineered emails to top-ranking employees in their target organizations. They imitate legitimate email contacts—normally key officials— to trick their victims into sending money to their accounts. According to the FBI, BEC scams caused more than US$3 billion in losses to more than 22,000 victims from the US, the UK, Hong Kong, Japan, and Brazil.
Analysis of our data also shows the prevalence of BEC campaigns in over 90 countries (see map below).
Countries affected by BEC
Countries with the most number of organizations affected by BEC
Businesses can protect against BEC scams by securing email—the most common BEC attack vector—with multilayered security solutions capable of blocking suspicious email before they reach endpoints. To further reduce BEC-related risks, organizations can invest in employee awareness and training. Employees need to know about safe practices and proper procedures when handling messages related to financial transactions.
Exploit kits take on new vulnerabilities and ransomware families
Exploit kits continued to make headlines during the first half of 2016. Angler, arguably the most popular kit around, experienced a drop in its detection numbers during the second quarter. A likely cause for this was the arrest of 50 cybercriminals in the UK and Russia, which may have included some of Angler’s operators. Despite this decrease, Angler continued to be the most active in incorporating newfound vulnerabilities in Adobe Flash, Microsoft Internet Explorer®, and Microsoft Silverlight®.
The decline in Angler’s activity made room for other exploit kits, such as Neutrino, Magnitude, and Sundown. During the same period, we saw how exploit kits were used to deliver ransomware. Exploit kits Hunter and Sundown, for example, began delivering ransomware this year, while Rig changed the type of ransomware it delivered.
Ransomware families delivered by exploit kits
Angler Exploit Kit
Neutrino Exploit Kit
Magnitude Exploit Kit
Rig Exploit Kit
Nuclear Exploit Kit
Sundown Exploit Kit
Hunter Exploit Kit
Fiesta Exploit Kit
Below each ransomware variant are the years they were actively delivered by exploit kits
Regularly patching and updating software is crucial in securing systems against exploit kits. Relying on timely patching alone, however, is not enough as it takes time for official patches to be rolled out and applied. In the interim, virtual patching can become an effective solution.
Threat Landscape
During the first half of 2016, the Trend Micro Smart Protection Network™ was able to block 29 billion threats. Meanwhile, our acquisition of TippingPoint’s Zero-Day Initiative also revealed the presence of 473 vulnerabilities on a variety of products such as Adobe Flash® and Advantech’s WebAccess.
Total number of threats blocked in 1H 2016
The number of threats we blocked in the first half of this year is already more than half of the total number of blocked threats in 2015. This threat count increase can be attributed to the rising number of ransomware attacks.
Overall threats blocked by the Trend Micro Smart Protection Network per year
Other notable threat trends we saw in the first half of the year include the rising number of vulnerabilities found in Adobe Flash Player and other IoT platforms, advancements in PoS malware, and a spate of high-profile data breaches. You can read about these items in greater detail, including our suggested defense strategies for each threat trend, in our full 2016 midyear roundup report, The Reign of Ransomware.