Malvertising and Ransomware Are Major Threats

From malvertising that has returned with a vengeance to crypto-ransomware—a lethal form of ransomware—cyber-criminals are using more sophisticated attacks in existing channels to target new victims, according to the “Q1 2015 Security Round-Up” by security company Trend Micro.

Malvertising has become so sophisticated that it is now being used in combination with zero-day exploits to take advantage of victims. According to Christopher Budd, Trend Micro’s global threat communications manager, part of the issue with zero-day exploits is that there’s no patch for them when a computer is being attacked. “When it’s happening, there’s nothing you can do to protect yourself,” he says.

However, three of the four exploits disclosed specifically targeted various versions of Adobe Flash, and two of those three arrived through malvertising, according to the report. Exploit CVE-2015-0313, which targeted Adobe Flash versions up to 16.0.0.296, used malvertisements, but did not require victims to stumble across a malicious page to be infected. The fourth zero-day exploit, targeting Microsoft Internet Explorer versions 9 through 11, used malicious links.

“The thing with an exploit kit is that someone who is not technical can take a kit and build a really effective attack,” Budd explains. “Those exploits are building on zero-day vulnerabilities. A situation is being created in which people are essentially turning out attacks that they can unleash on third-party servers.” Adding to the problem is the fact that third-party servers can appear on trusted Websites.

Number of Crypto-Ransomware Attacks Increase

Sophisticated malvertising exploits are not the only attacks that have increased this year. The report also shows that nearly half of all detected ransomware attacks have been crypto-ransomware in nature, in which victims’ files are encrypted to ensure payment.

While ransomware had been on the decline since the arrest of the Blackhole Exploit Kit author in 2014, it is now making a comeback, according to Budd. The six new detected families of crypto-ransomware, which include GulCrypt and CryptoFortress, vary in degrees of severity and the payment demanded.

“The truth is that once your files are encrypted, there is no easy way to decrypt them,” Budd says. “The bad guys are using encryption very well.”

On top of that, cyber-criminals are proving to victims that they can decrypt files, making the incentive to pay even greater. However, whether they actually do decrypt files after payment is a question that needs to be answered.

“Our advice is to not give them money,” Budd states. “You’d be rewarding bad behavior, and there is no guarantee you’re going to get your stuff back.”

In addition to individuals, small and midsize businesses are being victimized through ransomware attacks, particularly since they may have the money to pay the cyber-criminals but generally don’t have a large IT staff. The report states that the United States accounted for 34 percent—the bulk—of first-quarter ransomware attacks, most likely due to the appearance of these new crypto-ransomware variants.

Another important finding was that the health care industry suffered major data breaches, exposing millions of records of customers. Attacks on both Premera Blue Cross and Anthem resulted in 11 million and 80 million lost records, respectively. Divulged were client names, dates of birth, social security numbers and other essential information, such as bank account information and addresses—all of which facilitate identity theft.

“Health care information is pretty much the holy grail of information that you can steal,” Budd says.

Part of the issue in health care is that organizations are using roughly the same counter-measures as they have in the past, even though they’ve become ineffective, he explains.

“I think what we’re seeing is clearly a concerted effort to go after the information that health organizations are custodians of,” Budd adds. “A determined attacker, if truly determined, is going to succeed. … They understand the security countermeasures already in place and find ways to get around them.”