Lately, the security threat landscape has been undergoing some changes. No, we’re not talking about new types of malware spreading and ravaging end-users’ computers. We’re talking about a “shift in focus” in cybercriminal activity, influenced heavily by the latest trends in online payments.
If a few years ago, the popular way to make money using malware was creating (and deceiving people into downloading) FakeAVs, now the bad guys are focusing on Ransomware. And there are two main reasons for this focus shift:
- Digital currencies are getting more popular and easier to acquire (surely, you’ve witnessed the Bitcoin craze). This enables an increase in e-money payments. With e-money, the bad guys no longer need money mules to convert or “clean up” the “dirty money” obtained from ransomware scams.
- The dark side of the web is getting more organized and specialized. Think of it as the “industrialization of the malware industry” – instead of single person/team doing everything by themselves, there are now different groups focusing solely on certain aspects (botnets, infection, crypto, payment collection). Malware forums and online black markets provide the bad guys with the necessary tools to develop ransomware. These tools include a wide availability of ‘Do It Yourself’ kits that allow you to even build your own ransomware ‘factory’. An example of such ransomware kits is Power Locker, also known as Prison Locker.
As Bogdan Botezatu, Senior E-threat Analyst at Bitdefender, points out:
“Things are getting worse, and we’re seeing more of these ransomware infections. Ransomware is highly polymorphic and cyber-criminals often modify it in an attempt to evade detection.”
Now, let’s take a closer look at recent ransomware developments in both PC and mobile areas, to see what consequences they may have in the future.
PC security threats: Ransomware taking the lead
The security threat landscape targeting PC users is made up of two major threat categories:
- Financial threats include the ‘malicious tools’ that do the actual job of stealing money/tricking users into providing money or financial information: banking malware like Dyreza (we’ll call them “bankers” in future references), phishing scams and ransomware baddies like Curve-Tor-Bitcoin (CTB) Locker and Cryptowall.
- Malicious services are more about the means that enable the above tools to take effect. Here we can include: Downloaders (Upatre, Dalexis), Anonymizers (Pushdo, Ursnif), Proxies, Hosting and hosting setup services, Exploit KITs.
As seen in the past quarter, and compared to the previous one, the first category was the one that suffered a great change: while financial threats increased in overall numbers, ransomware well exceeded bankers.
Although the ransomware trend is nothing new, it reached an all-time high in February, as shown in the graph above, and it continues to lead the pack.
Regarding the malware services category, this one’s constantly buzzing with activity, making it hard to identify and point out certain trends. However, the current state of the malware services can be summarized as follows:
- Cybercriminals can find on the dark web, and buy at a certain price, a lot of the tools they need to start their own malware campaign. The transactions are usually made using Ukash, Bitcoin, Webmoney or other currencies that are hard to trace.
- Upatre and Dalexis are the main downloaders on the black market today. They can enable downloads to your computer of any type of malware, from password stealers to bankers and ransomware. As for the anonymizers, these can hide backservers for a great number of malware families.
- The most common ways to deploy malware are: email spam and phishing campaigns, malvertising and drive-by-downloads. What’s interesting is that many of these deployment methods are not using vulnerabilities, but good old social engineering.
Looking at the current mobile threats landscape, ransomware is increasingly visible in this space as well, coming to a close tie with fake antivirus apps (FakeAVs) designed for mobile devices. The graph below shows trends for Android ransomware and fake AVs seen on Android devices. Noteworthy is that Android remains the most targeted mobile platform due to its wide spread, flexible software distribution platform with more than 1.5 million available apps, and open architecture.
Mobile security threats: Ransomware coming to mobile
As if to reinforce the trends observed above, a few days ago, thousands of Android users from English-speaking countries were hit by Android ransomware. Bitdefender researchers detected 15,000 spam emails over a three-day span, distributing a fake Adobe Flash Player update, whch was, in fact, ransomware. The ransomware variant, identified as Android.Trojan.SLocker.DZ, asked users to pay $500 in order to “unlock” the infected device. The fee could even triple, if the user tried to bruteforce the code to unlock the device.
Ransomware vs. IoT Security
The worrying aspect of this mobile ransomware evolution is the impact it can have on IoT security. Given its scope and several connectivity levels – application, endpoint, network, cloud – if not secured at each of these levels, the Internet of things (IoT) could provide ransomware developers with a wide range of attack vectors and vulnerabilities they can leverage to propagate malware. And ransomware can become life-threatening, which makes it the biggest threat ever to hit PC and mobile users.
Stay tuned for more updates on the cyber security threat landscape and developments in security technologies.