lolloj - Fotolia

Businesses face spike in ransomware attacks, reports McAfee Labs

Researchers at McAfee Labs say a spike in ransomware in the first quarter of 2015 was driven largely by the hard-to-detect CTB-Locker and Teslacrypt families

Businesses face a substantial increase in the number of ransomware attacks, according to the latest McAfee Labs Report released by Intel Security.

In the first quarter of 2015, McAfee Labs saw a 165% increase from the previous quarter in new ransomware. The malware typically encrypts company data and demands payment for the decryption key.

Researchers said the spike was driven largely by the new, hard-to-detect CTB-Locker ransomware family, a new ransomware family called Teslacrypt, and the emergence of new versions of CryptoWall, TorrentLocker and BandarChor. 

McAfee Labs attributes CTB-Locker’s success to clever techniques for evading security software, higher-quality phishing emails and an “affiliate” programme that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages.

McAfee Labs suggests organisations and individuals make it a priority to learn how to recognise phishing emails, including the use of tools such as the Intel Security Phishing Quiz.

In the first quarter of 2015, Adobe Flash malware samples increased by 317%. The researchers attributed the spike in exploits to the popularity of Adobe Flash as a technology; user delay in applying available Adobe Flash patches; new methods to exploit product vulnerabilities; a steep increase in the number of mobile devices that can play Adobe Flash files; and the difficulty of detecting some Adobe Flash exploits.

Industry cleaves to counter threat

Researchers are seeing a continued shift in focus among exploit kit developers, from Java archive and Microsoft Silverlight vulnerabilities to Adobe Flash vulnerabilities.

In the first three months of 2015, 42 new Adobe Flash vulnerabilities were submitted to the US National Vulnerability Database. Adobe made initial fixes available for all of them on the day they were posted.

Read more about ransomware

“With the popularity of a product like Flash, there comes a tremendous responsibility to proactively identify and mitigate security issues threatening millions of users,” said Vincent Weafer, senior vice-president of McAfee Labs.

“This research nicely illustrates how the technology industry works together constructively to gain an advantage in the realm of cyber security  – industry partners sharing threat intelligence, and technology providers acting on information quickly to help prevent potential issues.”

To get the full benefit of software supplier efforts to address vulnerabilities, McAfee Labs is urging organisations and individual users to be more diligent in keeping their products updated with the latest security patches.

Malware reprogrammes SSDs and HDDs to evade detection

The McAfee Labs’ report reveals that the reprogramming modules in malware used by the Equation Group that were discovered in February 2015 have been found to be capable of reprogramming the firmware in solid state drives (SSDs) as well as the previously-reported hard disk drive (HDD) reprogramming capability.

Once reprogrammed, the HDD and SSD firmware can reload associated malware each time infected systems boot and the malware persists – even if the drives are reformatted or the operating system is re-installed. Once infected, security software cannot detect the associated malware stored in a hidden area of the drive, researchers said.

“We at Intel take hybrid software-hardware threats and exploits seriously,” said Weafer. “We have closely monitored both academic proofs of concept and in-the-wild cases of malware with firmware or BIOS manipulation capabilities, and these Equation Group firmware attacks rank as some of the most sophisticated threats of their kind. 

"While such malware has historically been deployed for highly targeted attacks, enterprises should prepare themselves for the seemingly inevitable ‘off-the-shelf’ incarnations of such threats in the future.”

McAfee Labs advises that organisations take steps to strengthen threat detection at point of initial attack, such as phishing messages with malicious links and malware-infected USB drives and CDs. McAfee Labs said organisations should also consider security systems that can help prevent data exfiltration.

Other 2015 security developments

The first quarter report identified several other developments in the first quarter of 2015:

  • PC malware growth

The first quarter saw a slight decline in new PC malware, which researchers attribute mainly to the activity of one adware family, SoftPulse, which spiked in Q4 2014 and returned to normal levels in Q1 2015. The McAfee Labs malware database grew 13% during that time, and now contains 400 million samples.

  • Mobile malware

The number of new mobile malware samples jumped by 49% from Q4 2014 to Q1 2015.

  • Secure sockets layer (SSL) attacks

SSL-related attacks continued in Q1 2015, although they tapered off in number relative to Q4 2014. Researchers said this reduction is likely the result of SSL library updates that have eliminated many of the vulnerabilities exploited in prior quarters. Shellshock attacks are still quite prevalent since their emergence late in 2014.

  • Spam botnets

The Dyre, Dridex, and Darkmailer3.Slenfbot botnets overtook Festi and Darkmailer2 as the top spam networks. Their main areas of involvement included pharmaceuticals, stolen credit cards and “shady” social-media marketing tools, the McAfee Labs report said.

Read more on Hackers and cybercrime prevention