pixel_dreams - Fotolia

Business unprepared for future ransomware, says Cisco report

Next wave of ransomware expected to be more pervasive, resilient and capable of spreading quickly and effectively throughout networks by capitalising on vulnerabilities

Businesses are unprepared for future strains of more sophisticated ransomware, according to the Cisco 2016 Midyear Cybersecurity Report.

Fragile infrastructure, poor network hygiene and slow detection rates are providing ample time and air cover for adversaries to operate, the report said.

The struggle to constrain the operational space of attackers is the biggest challenge for businesses, the report said, and threatens the underlying foundation required for digital transformation.

Other key findings in the report include that adversaries are expanding their focus to server-side attacks, evolving attack methods and increasingly using encryption to mask malicious activity.

So far in 2016, ransomware has become the most profitable malware type in history. Cisco expects to see this trend continue with even more destructive ransomware that can spread by itself and hold entire networks, and therefore companies, hostage.

Researchers expect new modular strains of ransomware to be able to switch tactics quickly to maximise efficiency. For example, future ransomware attacks are expected to evade detection by being able to limit CPU usage and refrain from command-and-control actions.

These new ransomware strains will also spread more quickly and self-replicate within organisations before co-ordinating ransom activities, the report said.

Not enough budget

Commenting on the report, David Navin, corporate security specialist at Smoothwall, said large companies often do not allocate enough budget to security without realising the true impact to the business.

“Instead, we are seeing more and more businesses left vulnerable after acting on this too late,” he said. “Thanks to where the purse strings lie, a company’s security and IT department need to hit home with its board and CFO, ensuring they are educated to the risks and understand the importance of having strong security measures in place.”

The Cisco report coincides with the launch of a joint initiative by the Dutch National Police, Europol, Intel Security and Kaspersky Lab to fight ransomware.

No More Ransom is an online portal aimed at informing the public about the dangers of ransomware and helping victims to recover their data without having to pay ransom to cyber criminals.

Ransomware is a top threat for EU law enforcement, with almost two-thirds of EU member states conducting investigations into this form of malware attack. While the target is often individual users’ devices, corporate and even government networks are affected.

Visibility across the network and endpoints remains a primary challenge, the report said, in light of the fact that organisations take up to 200 days on average to identify new threats.

Reducing time to detection

For this reason, Cisco has focused on reducing the median time to detection, and claims to have achieved a new low of around 13 hours to detect previously unknown compromises in the six months ending in April 2016, down from 17.5 hours in the previous six months.

Faster time to detection of threats is critical to constrain attackers’ operational space and minimise damage from intrusions, according to Cisco.

As attackers innovate, researchers said many defenders continue to struggle to maintain the security of their devices and systems. Unsupported and unpatched systems create additional opportunities for attackers to easily gain access, remain undetected and maximise damage and profits, they said.

The report shows this challenge is global, with all vertical markets and regions targeted and organisations in critical industries such as healthcare experiencing the most significant uptick in attacks in recent months.

Clubs and organisations, charities, non-governmental organisation (NGOs) and electronics businesses have all experienced an increase in attacks in the first half of 2016, the report shows.

Geopolitical concerns

On the world stage, geopolitical concerns include regulatory complexity and contradictory cyber security policies by country. The need to control or access data may limit and conflict with international commerce in a sophisticated threat landscape, the report said.  

For attackers, however, more time to operate undetected results in more profits. In the first half of 2016, attacker profits have skyrocketed, Cisco reports.

Attackers are broadening their focus from client-side to server-side exploits, avoiding detection and maximising potential damage and profits, the report said, with Adobe Flash vulnerabilities continuing to be one of the top targets for malvertising and exploit kits. In the popular Nuclear exploit kit, Flash accounted for 80% of successful exploit attempts.

Cisco also saw a new trend in ransomware attacks exploiting server vulnerabilities – specifically within JBoss servers – of which 10% of internet-connected JBoss servers worldwide were found to be compromised. Many of the JBoss vulnerabilities used to compromise these systems were identified five years ago, which means basic patching and supplier updates could have easily prevented such attacks, the report said.

In the first half of 2016, adversaries continued to evolve their attack methods to capitalise on defenders’ lack of visibility, the report said, with Windows Binary exploits displacing social engineering attacks through Facebook scams to become the top web attack method for attackers to gain a foothold into network infrastructures and make attacks harder to identify and remove.

Read more about ransomware

  • Businesses still get caught by ransomware even though straightforward avoidance methods exist.
  • Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

Contributing to defenders’ visibility challenges, adversaries are increasing their use of encryption as a method of masking various components of their operations, the report said. Researchers saw an increased use of cryptocurrency, transport layer security (TLS) and Tor, which enables anonymous communication across the web.

HTTPS-encrypted malware used in malvertising campaigns increased by 300% from December 2015 to March 2016. Encrypted malware further enables adversaries to conceal their web activity and expand their time to operate, the report said.

In the face of sophisticated attacks, limited resources and ageing infrastructure, the report said defenders are struggling to keep pace with their adversaries, and research data suggests defenders are less likely to address adequate network hygiene, such as patching, the more critical the technology is to business operations.

Known vulnerabilities

Also, Cisco found much of their infrastructure was unsupported or operating with known vulnerabilities. This problem is systemic across suppliers and endpoints. Cisco researchers examined 103,121 Cisco devices connected to the internet and found that each device, on average, was running 28 known vulnerabilities, devices were actively running known vulnerabilities for an average of 5.64 years, and more than 9% have known vulnerabilities older than 10 years.

Cisco also looked across software infrastructure at a sample of over 3 million installations. Most were Apache and OpenSSH with an average number of 16 known vulnerabilities, running for an average of 5.05 years.

Browser updates are the lightest-weight updates for endpoints, while enterprise applications and server-side infrastructure are harder to update and can cause business continuity problems. In effect, this means the more critical an application is to business operations, the less likely it is to be addressed frequently, creating gaps and opportunities for attackers.

Cisco’s Talos researchers have observed that organisations that take just a few simple yet significant steps can greatly enhance the security of their operations, including:

  • Improving network hygiene by monitoring the network; deploying patches and upgrades on time; segmenting the network; implementing defences at the edge, including email and web security, next-generation firewalls and next-generation IPS.
  • Integrating defences by using an architectural approach to security versus deploying niche products.
  • Measuring time to detection and insisting on fastest time available to uncover threats, then mitigate against them immediately.
  •  Protecting users wherever they work, not just the systems they interact with and when they are on the corporate network.
  • Backing up critical data and routinely test their effectiveness while confirming that back-ups are not susceptible to compromise.

“As organisations capitalise on new business models presented by digital transformation, security is the critical foundation,” said Marty Roesch, vice-president and chief architect of the security business group at Cisco.

“Attackers are going undetected and expanding their time to operate. To close the attackers’ windows of opportunity, organisations will require more visbility into their networks and must improve activities, such as patching and retiring ageing infrastructure lacking in advanced security capabilities.”

Read more on Hackers and cybercrime prevention