Malware and ransomware have been constantly evolving to adapt to the changing landscape of security technologies. Newer variants, which have evolved in the last few years, are able to avoid detection, exploit software vulnerabilities, and penetrate perimeter security with ease.
Both 2017 and 2018 have witnessed some of the biggest malware and ransomware trends. Cybersecurity website FraudWatch mentions that 2017 has been quite a big year for ransomware because of these three key parameters:
- Development of advanced capabilities
- Selection of high profile targets
- Widespread nature of the attacks
These parameters were easily identifiable in some of the biggest attacks in 2017 and early 2018, which defined the trend of the attacks.
To start with, WannaCry made big news in mid-2017 when it infected NHS (National Health Service), UK. It also infected Telefonica and FedEx – both of which are multinational companies with robust security systems. WannaCry exploited a vulnerability in the Server Message Block (SMB) of Windows OS. The victims were running Windows 7 or older versions, which made them an easy target as they lacked in critical updates.
Sometimes later, towards the end of 2017, the same concept was used by NotPeya, which was another trending ransomware. Apart from encryption, NotPetya also stole credentials from the affected systems, which gave easy access to the other systems.
We also saw the rise of RaaS (Ransomware as a Service), a model where cybercriminals purchase and then spread the malware. Commissions are paid to the developers for the use of the malware. A good example of RaaS was Cerber, another ransomware which holds data hostage till the time the money is paid to the crypto wallet of the hacker.
RaaS is slowly gaining ground and will soon be one of the most prolific categories of ransomware. With the help of RaaS, even a novice hacker can borrow a RaaS package and infect targets without writing a single line of code. One can either buy RaaS packages from the provider or agree to share the ransom money.
We also saw banking trojans dominating malware trends. This included trojans like Ursnif, Emotet, TrickBot, and Hancitor. These file-based trojans are sent as an attachment with the email. They carry macro script downloaders concealed within them. Emotet has been most dangerous amongst them, responsible for attacking several financial organizations.
Looking Beyond Traditional Anti-Malware Strategies
Cybercriminals who write malware code have learned to circumvent traditional perimeter security using phishing campaigns/advertisement. Once the malicious code has been installed into the host system, it takes advantage of the system’s vulnerabilities to launch an attack.
Recent attacks have shown that endpoints running on legacy or unpatched Windows OS are highly susceptible to malware attacks.
Enterprises rely on antivirus to protect laptops, desktops, and other special purpose systems like ATMs, Point of Sale terminals, and ticketing kiosks. However, traditional antivirus is heavily dependent on a directory of signatures to detect known threats and behavior.
Malware today has evolved to work around defense mechanisms that are programmed into most antivirus solutions. To counter these sophisticated threats, enterprises need to look beyond antivirus and adopt security solutions that have a signature-less approach. The security solution should work at the kernel level to detect, highlight, and prevent unauthorized processes running on end-points and critical servers.
Enterprises should also strive to achieve complete visibility and control of all processes that run in their endpoints. This will enable them to create a process whitelist which allows only the known processes to run, thereby eliminating the need for antivirus software, signature updates, patch management software, and SIEM products.
Apart from ransomware attacks, vulnerable endpoints can also become entry points for Advanced Persistent Threats (APT) which exfiltrate data sensitive data while remaining undetected for weeks or months.
There was a time when an antivirus was a good enough solution. But considering the frequency and sophistication of recent attacks, enterprises need to consider changing their approach to endpoint security.
ColorTokens RADAR360 takes a robust signature-less approach to protect endpoints and servers, including legacy and unpatched systems, against zero-day and advanced persistent threats without additional operational complexities.