Endpoint
4/26/2017
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Web Attacks Decline, Ransomware Attacks Surge

Symantec's annual Internet Security Threat Report data shows how attacks last year directly targeted end users, and became more efficient and lucrative.

These new stats shed some light on what happens when cyberattackers inch closer to their intended victims: Web attacks dropped by more than 30% last year, and ransomware attack attempts jumped by 36%.

That's just one of the findings in Symantec's newly published Internet Security Threat Report for 2016, which also shows a continued dip in the total number of data breaches to 1,209 in 2016, from 1,211 in 2015, and 1,523 in 2014. This trend demonstrates how attackers have become more seasoned in automating their attacks - and more efficient, according to Michael Fey, president and COO of Symantec. That also dovetails with attackers targeting the endpoint directly rather than waiting for users to visit a compromised website, he says.

"It's so much easier to make a direct connection with your target. You used to have to be tigers waiting around the watering hole, but now they go find their prey and don't just wait for them," Fey says. "Thanks to social media and the way we scream to the world who we are and what we care about that can be mined, the need to sit on a Web platform is reduced. [Website attacks] still work, but there are alternate ways to a more deliberate path."

The dip in total breaches is a combination of organizations doing a better job of reducing the amount of data that's at risk, and the fact that attackers have more automated methods of stealing information, he says. They can wage more focused and deliberate attack campaigns and be relatively confident that users will indeed click on malicious attachments, for example.

Web attacks are not dead, however: Symantec says there was an average of some 229,000 such attack attempts detected each day last year, and 76% of websites had bugs, 9% of which were critical.

But 2016 was ransomware's coming-out party: while it's been around for a while, the method of locking victims out of their data until they paid a ransom now has become a popular and lucrative way for criminals to make money. Symantec detected 463,000 cases of ransomware last year, up from 340,000 in 2015; the daily average hit 1,539 detections per day, up from 846. And the average ransom surged from $294 in 2015 to a whopping $1,077 last year.

Cybercriminals are cranking out new variants of ransomware at a rapid clip. Symantec counted 101 ransomware families in 2016, up from 30 in 2015 and 2014. According to Symantec, that means more attackers are employing ransomware and creating new families or modifying existing ones. Consumers still represent about 70% of all ransomware infections, but businesses increasingly are becoming targets.

"We've seen government institutions condone paying [ransom], and we've seen government leaders talk about how that's a bad thing. So there are mixed messages all over the place," which makes it more confusing and difficult for victims to properly respond and defend from ransomware attacks, Fey says.

Ransomware victims paying their attackers isn't helping, either, but the situation is fraught: "If you pay $29,000 to unlock your data, are you feeding a bigger problem?" Fey says. "If an organization sent money directly to terrorists we'd all condemn them and shut them down. But when a hospital's patients' critical data is held for ransom, I'm not sure I have the same opinion anymore" against paying the ransom like in a terrorist scenario, he says.

Meantime, 15 breaches in 2016 exposed more than 10 million identities, a slight increase from 13 in 2015, and 11 in 2014. Overall in the past eight years, some 7.1 billion identities have been exposed worldwide, the report shows.

Fey says that's another data point that demonstrates how attackers are becoming more efficient. "And they are getting to the outcome faster," he says.

Speaking of efficiency, it now takes attackers just two minutes to attack an Internet of Things device – a feat that was achieved by the Mirai botnet last year, according to the Symantec ISTR report. The IoT-borne distributed denial-of-service (DDoS) attack (mainly waged by Mirai) on French hosting firm OVH last year was the largest DDoS attack ever, with a peak of 1 Tbps.

"We have misunderstood the IoT problem," Fey says of the industry. "What people don't fully appreciate about IoT security is how many of these devices are orphaned devices" sitting on the Net and vulnerable, he says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.