A new study has shown that cybercriminals have generated ransomware profits in excess of $25 million over the past two years, clearly demonstrating why cryptoransomware attacks have soared. There is big money to be made in this form of cyber extortion. The bad news is that with so many organizations paying to recover their files, the ransomware attacks will continue and will likely increase.
Ransomware attacks are profitable because users are still failing to back up their data. Google’s figures suggest that even though the threat of data deletion or encryption is high, only 37% of computer users back up their data. That means if ransomware encrypts files, the only option to recover data is to pay the ransom demand.
Figures from the FBI estimated ransomware payments to have exceeded $1 billion in 2016; however, it is difficult to accurately calculate ransomware profits since the authors go to great lengths to hide their activities. Ransomware profits are difficult to track and companies are reluctant to announce attacks and whether payment has been made.
Two notable exceptions were the South Korean hosting company Nayana that was attacked and had 153 Linux servers and 3,400 customer websites encrypted. The firm paid 1.2 billion Won – approximately $1 million – for the keys to unlock the encryption. Recently, a Canadian company has reportedly paid a ransom of $425,000 to recover its files, although the identity of the firm is still unknown.
Now, a study conducted by Google, with assistance from Chainalysis, the University of California at San Diego, and New York University’s Tandon School of Engineering has shed some light on actual ransomware profits. The study involved an analysis using blockchains and Bitcoin wallets known to have been used to collect ransomware payments. The researchers also used reports from victims and monitored network traffic generated by victims of ransomware attacks to help track where payments were sent.
The study looked at the top 34 ransomware strains and determined more than $25 million has been collected in the past two years. 95% of payments were cashed out using the Bitcoin trading platform BTC-e.
Google has calculated Locky has earned $7.8 million in ransom payments over the past 24 months – 28% of the total payments made. Cerber is in second place with $6.9 million, followed by CryptoLocker on $2 million and CryptXXX and Sam Sam, both on $1.9 million. Spora ransomware may not have made it into the top five, although Google researchers warn that this is an up-and-coming ransomware variant and one to watch over the coming months.
In recent months Cerber ransomware has become the most widely used ransomware variant. The success of Cerber ransomware can be attributed to the skill of the developers in developing a ransomware variant that can evade detection and the affiliate model used to distribute the ransomware – Ransomware-as-a-Service (RaaS).
RaaS means any number of individuals can conduct ransomware campaigns. Kits are offered to anyone willing to conduct campaigns. Little technical skill is required. All that is required is a lack of moral fiber and the ability to send spam emails distributing the ransomware. Affiliates receive a percentage of the ransomware profits.
WannaCry ransomware certainly caused something of a storm when the worldwide attacks were conducted in May, and while there were more than 200,000 victims worldwide and some 300,000 computers affected, a flaw in the design meant the attacks could be halted and relatively few ransom payments were made. The ransomware profits from these attacks was calculated by Google to be around $100,000.
Ransomware profits from NotPetya were low, although making money was never the aim. NotPetya appeared to be ransomware, although it was actually a wiper. A ransomware demand was issued, but it was not possible to recover data on infected machines. Once this became clear, ransoms were not paid.
The success of Locky, Cerber and CryptXXX is due to the skill of the developers at evading detection. These ransomware variants are constantly evolving to stay one step ahead of security researchers. In the case of Cerber, the researchers discovered thousands of new binaries are being detected each month. There are 23,000 binaries for Cerber and around 6,000 for Locky. In total, the study involved an analysis of 301,588 binaries. The malware variants are capable of changing binaries automatically making detection difficult.
Ransomware attacks may still only make up a small percentage of the total number of malware-related incidents – less than 1% – but the threat is still severe and the attacks are likely to continue, if not increase. As long as it is profitable to develop ransomware and/or use existing ransomware variants, the attacks will continue.
Kylie McRoberts, a senior strategist with Google’s Safe Browsing team, said “Ransomware is here to stay and we will have to deal with for a long time to come.”
It has been a long time coming, and we are not quite there yet, but Adobe Flash is about to die. The long, slow drawn out death of Adobe Flash will continue for another three years yet, with Adobe finally confirming that it will be pulling the plug by December 31, 2020. By then, all updates for Adobe Flash will stop and the we will all enter a Flash free age.
Until then, Adobe is committed to working with partners to ensure Flash remains as secure as possible and updates will continue until that time. However, Adobe is already trying to encourage businesses to start switching to other standards such as HTML5.
The decision to finally put Flash out of its misery was made because other platforms and technology have “matured enough and are capable enough to provide viable alternatives to the Flash player,” according to Adobe.
In 2005, Flash was on 98% of all computers, and even three years ago it was being used by 80% of desktop users on a daily basis. Today, helped in no short part but the serious security flaws in the platform and the switch to mobile devices from PCs, usage has fallen to just 14%.
Google is not supporting Flash anymore and has not done so for Android since 2012. Apple has never supported the plug-in on its mobile devices and Firefox, Chrome, Edge and Safari no longer run Flash content automatically. Even Internet Explorer will disable Flash by default in 2019, ahead of its official death date the following year.
Of course, just stopping updates does not mean that Flash will cease to exist. But given the rate that vulnerabilities in Flash are now being discovered, anyone still using Flash by 2020 will be wide open to attack as soon as the updates stop. However, by then there will be far fewer websites using Flash and fewer devices with the Flash plug-in installed.
The Internet will most likely be a safer place without Flash, but what will happen to all the hackers who are currently developing exploits for Flash vulnerabilities? They will not also decide to retire. Instead they will put their efforts into something else. What that is of course remains to be seen.
Three years may seem like an awfully long time, but there are still many businesses that continue to use Flash and have yet to migrate to other standards. Flash is still extensively used by educational institutions for training programs, while web-based gaming websites will also need time to transition.
Govind Balakrishnan, Adobe’s vice president of product development, pointed out the importance of Flash saying, “Few technologies have had such a profound and positive impact in the Internet era.” That is certainly true, but all good things must come to an end and few will be sorry to see Flash finally die. The end came long ago, but at least now there is an official date when the final nail will be hammered into the coffin.
Stantinko malware may only have recently been detected, but it is far from a new malware variant. It has been in use for the past five years, yet has only recently been identified. During the past five years, Stantinko malware has spread to more than 500,000 devices and has been operating silently, adding infected systems to a large botnet, with the majority of infected machines in Russia and Ukraine.
The botnet has primarily been used to run a largescale adware operation. The malware installs the browser extensions Teddy Protection and The Safe Surfing, which appear to users to be legitimate apps that block malicious URLs. These apps are legitimate if downloaded via the Chrome Web Store, but they are not if they are installed by Stantinko. The Stantinko versions contain different code that is used for click fraud and ad injection.
ESET reports that additional plugins known to be installed by Stantinko malware include Brute-Force and Search Parser which are used for Joomla/WordPress brute force attacks and to anonlymously search for Joomla/WordPress sites. Remote Administrator is a fully functional back door and Facebook Bot can generate fake likes, create new accounts, or add friends on Facebook, virtually undetected.
While click fraud is the primary goal of the attackers, Stantinko malware can perform a wide range of functions. Since Stantinko includes a loader, enabling threat actors to send any code to an infected device via their C2 server and run the code.
ESET researchers say the malware uses Windows services to perform backdoor activities and brute force attacks on WordPress and Joomla websites. Once access is gained, the attackers sell on the login credentials to other cybercriminal groups, according to ESET. That’s not all. ESET says Stantinko malware could be used to perform any task on an infected host.
The malware and botnet have remained undetected for so long due to their ability to adapt to avoid being detected by anti-malware solutions. The malware also uses code encryption to avoid detection. Users would be unlikely to realize that anything untoward was happening on their machine. The tasks performed by the malware involve low CPU activity and do not slow an infected device considerably.
Infection is believed to occur through illegal file sharing, especially the downloading of pirated software. However, ESET notes that infection has occurred through fake torrent files that are actually executables.
Removal of the malware is not straightforward. The malware installs two Windows services, each of which is capable of reinstalling the other service if one is deleted. If for any reason that process fails, the attackers can reinstall those services via their C2 server.
The discovery of Stantinko malware highlights the danger of failing to prevent employees from accessing file sharing websites at work. The downloading of pirated material, even accessing torrents files, has potential to infect enterprise networks with malware. Even if anti-virus and anti-malware solutions have been deployed, there is no guarantee that malware will be detected.
Organizations can protect against these types of attacks by implementing a web filtering solution and blocking access to file sharing websites and torrents sites. If these sites cannot be accessed and pirated software downloads are blocked, infection can be prevented.
UK porn filtering controls are expected to be introduced next year to make it harder for minors to access – accidentally or deliberately – pornographic material over the Internet. The government has proposed a new requirement that will make it mandatory for all sites hosting adult or pornographic content to conduct age verification checks before adult content is displayed.
From April next year, a yet to be decided regulator – most likely the British Board of Film Classification – will be able to block websites hosting pornography if they do not conduct checks to ensure visitors are over the age of 18. Blocks are likely to be applied at the ISP level and the sites could be barred from taking credit card payments from the UK if they do not comply.
The change to UK porn filtering controls would mean minors would be prevented from accessing pornographic material. Digital minister, Matt Hancock, explained the move would mean “UK will have the most robust internet child protection measures of any country in the world.”
While many adult websites ask the user if they are over 18 before content is displayed to prevent accidental access, further controls would be required to verify age. One of the easiest ways to do that is by forcing the visitor to submit their credit card details. In the UK, it is not possible for individuals under the age of 18 to be issued with a credit card.
The new UK porn filtering controls have been welcomed by some groups – the National Society for the Prevention of Cruelty to Children (NSPCC) for example – but the move has raised many concerns.
Age verification checks are likely to result in the operators of the websites maintaining a database of site users, even individuals who do not pay for access. The database is likely not only to include details supplied in the verification checks, but include profiling and viewing histories. It is possible that large volumes of highly sensitive data could be collected on millions of users.
Any website that collects sensitive consumer data is a target for hackers. The databases that could be built by adult content providers would be an even bigger target. Not only could information be used for fraud, the data could be used for blackmail and extortion. One only needs to look back to the Ashley Madison data breach in 2015 to see the damage that can be caused when the databases of adult websites are hacked.
That breach resulted in personal information being exposed along with details of sexual preferences and other highly sensitive information. The fact that a user was registered on a website that is used to hook up for extramarital affairs made even the exposure of personal information even worse. The stolen information was subsequently used by criminals to blackmail users and led to many public shaming incidents. In some cases, exposed users of the site committed suicide as a direct result of the breach.
The Open Rights Group has spoken out about the proposed changes to UK porn filtering controls. Jim Killock, director of the Open Rights Group, said “The Government has repeatedly refused to ensure that there is a legal duty for age verification providers to protect the privacy of web users.” Now, the change “could lead to porn companies building databases of the UK’s porn habits, which could be vulnerable to Ashley Madison style hacks.”
Killock also pointed out, “There is also nothing to ensure a free and fair market for age verification. We are concerned that the porn company MindGeek will become the Facebook of age verification, dominating the UK market.” Were that to happen, the company would be able to decide the level of profiling that takes place, the level of controls it sees fit to introduce to protect data and what privacy risks UK citizens would face.
An enterprise email archiving solution allows emails to be retrieved on demand and ensures messages remain usable. Emails must be produced in the event of an audit and during the legal discovery process. Federal laws require organizations to produce emails, such as when a request is made under the Freedom of Information Act. An email archive is searchable and allows emails to be quickly and easily located and accessed when needed.
Since recovering emails from backups is a long and complicated process, many companies now use an enterprise email archiving solution such as ArcTitan. ArcTitan makes archiving emails a quick and easy process, freeing up valuable storage space on mail servers. Recovering emails is also rapid and straightforward as the archive is searchable. Even large numbers of emails from multiple email accounts can be recovered in minutes. Multiple searches of the archive can be conducted at the same time, in contrast to Office 365 which restricts searches to two at a time, and the archive can be searched at a rate of up to 30 million emails a second. Recovering multiple emails from backups can take several days.
Even though federal laws require emails to be produced on demand, many companies have yet to switch to an email archive and the IRS is not setting a good example. The IRS has recently been discovered to have failed to comply with federal regulations on email storage.
The Treasury Inspector General for Tax Administration (TIGTA) recently conducted an audit of the Inland Revenue Service and discovered that IRS policies on email storage do not allow it to consistently ensure records are retained, and that in several cases, the IRS has been unable to produce emails on request.
The audit was requested by the Chairman of the Senate Committee on Finance and the Chairman of the House Committee on Ways and Means after the IRS reported that it was unable to produce some documents after receiving Freedom of Information requests. After searching for the documents, the IRS discovered documents had been accidentally deleted.
The auditors determined that emails are not automatically archived for all employees and some employees had been instructed to manually store emails on their hard drives or network drives. As a result, some emails and documents were permanently lost when hard drives were damaged or destroyed.
The audit also showed that even though a new executive e-mail retention policy had been introduced that should have resulted in emails being automatically archived, that failed to happen as some executives did not turn on the automatic archiving feature.
Polices on email archiving were also not applied consistently. The IRS was discovered to have failed to follow its own policies on email archiving in more than half of the 30 Freedom of Information requests assessed by auditors. Had an enterprise email archiving solution been used, all documents and emails would have been recoverable and could have been quickly been located.
TIGTA made five recommendations, including the implementation of an enterprise email archiving solution – which is something that all organizations in the United States should consider. In the event of an audit, Freedom of Information request or lawsuit, all relevant emails can be quickly produced and regulatory fines can be avoided.
An Enterprise Archiving Solution will Help IRS´ Compliance with GDPR
The implementation of an enterprise email archiving solution will also help IRS´ compliance with the EU´s General Data Protection Regulation (GDPR) due to be introduced in May 2018. Under the Regulation, the IRS (and any other US organization maintaining the personal data of EU citizens) have a duty to protect EU citizens´ personal data from loss, theft or unauthorized disclosure.
EU citizens also have the right to request access to personal data held by the IRS and a “right to be forgotten” if the IRS no longer has any lawful basis for retaining the data. TIGTA´s audit of email practices within the IRS could not have been more timely, as – should the IRS be unable to produce an email on request or fail to respond to a data access request within thirty days – the Service could be liable for a fine of up to 4% of global turnover. The IRS collected $3.3 trillion in taxes in 2015.
ArcTitan: Email Archiving Made Simple
ArcTitan is a powerful and fast email archiving solution from TitanHQ that serves as a black box flight recorder for email. All emails sent to the archive for long term storage are de-duplicated and compressed to save on space and to ensure searches can be performed rapidly. Emails are sent to the archive at a rate of 200 a second and searches can be performed at a rate of up to 30 million messages a second. ArcTitan facilitates policy-based access rights and role-based access, with the archive accessible through a web-based interface or via your normal mail client.
ArcTitan is scalable to tens of thousands of users, there is no limit on storage space, and no patching burden as the solution is automatically updated. Backups of the archive are automatic too. ArcTitan allows you to archive emails with no impact on network performance and is truly a set and forget solution that will ensure compliance with regulations such as HIPAA, SOX, GDPR, the Federal Rules of Civil Procedure, etc. and will allow you to find and retrieve emails for audits, customer complaints, and eDiscovery requests with ease. There are no proprietary data formats, you can import email from all mail services and servers, and export data in a variety of formats.
If you are looking for an email archiving solution, are not happy with the functionality or cost of your current solution, or have any questions about email archiving or ArcTitan, give the TitanHQ team a call today.
Protect your users from email threats - access free demo.
