Endpoint

4/26/2017
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Web Attacks Decline, Ransomware Attacks Surge

Symantec's annual Internet Security Threat Report data shows how attacks last year directly targeted end users, and became more efficient and lucrative.

These new stats shed some light on what happens when cyberattackers inch closer to their intended victims: Web attacks dropped by more than 30% last year, and ransomware attack attempts jumped by 36%.

That's just one of the findings in Symantec's newly published Internet Security Threat Report for 2016, which also shows a continued dip in the total number of data breaches to 1,209 in 2016, from 1,211 in 2015, and 1,523 in 2014. This trend demonstrates how attackers have become more seasoned in automating their attacks - and more efficient, according to Michael Fey, president and COO of Symantec. That also dovetails with attackers targeting the endpoint directly rather than waiting for users to visit a compromised website, he says.

"It's so much easier to make a direct connection with your target. You used to have to be tigers waiting around the watering hole, but now they go find their prey and don't just wait for them," Fey says. "Thanks to social media and the way we scream to the world who we are and what we care about that can be mined, the need to sit on a Web platform is reduced. [Website attacks] still work, but there are alternate ways to a more deliberate path."

The dip in total breaches is a combination of organizations doing a better job of reducing the amount of data that's at risk, and the fact that attackers have more automated methods of stealing information, he says. They can wage more focused and deliberate attack campaigns and be relatively confident that users will indeed click on malicious attachments, for example.

Web attacks are not dead, however: Symantec says there was an average of some 229,000 such attack attempts detected each day last year, and 76% of websites had bugs, 9% of which were critical.

But 2016 was ransomware's coming-out party: while it's been around for a while, the method of locking victims out of their data until they paid a ransom now has become a popular and lucrative way for criminals to make money. Symantec detected 463,000 cases of ransomware last year, up from 340,000 in 2015; the daily average hit 1,539 detections per day, up from 846. And the average ransom surged from $294 in 2015 to a whopping $1,077 last year.

Cybercriminals are cranking out new variants of ransomware at a rapid clip. Symantec counted 101 ransomware families in 2016, up from 30 in 2015 and 2014. According to Symantec, that means more attackers are employing ransomware and creating new families or modifying existing ones. Consumers still represent about 70% of all ransomware infections, but businesses increasingly are becoming targets.

"We've seen government institutions condone paying [ransom], and we've seen government leaders talk about how that's a bad thing. So there are mixed messages all over the place," which makes it more confusing and difficult for victims to properly respond and defend from ransomware attacks, Fey says.

Ransomware victims paying their attackers isn't helping, either, but the situation is fraught: "If you pay $29,000 to unlock your data, are you feeding a bigger problem?" Fey says. "If an organization sent money directly to terrorists we'd all condemn them and shut them down. But when a hospital's patients' critical data is held for ransom, I'm not sure I have the same opinion anymore" against paying the ransom like in a terrorist scenario, he says.

Meantime, 15 breaches in 2016 exposed more than 10 million identities, a slight increase from 13 in 2015, and 11 in 2014. Overall in the past eight years, some 7.1 billion identities have been exposed worldwide, the report shows.

Fey says that's another data point that demonstrates how attackers are becoming more efficient. "And they are getting to the outcome faster," he says.

Speaking of efficiency, it now takes attackers just two minutes to attack an Internet of Things device – a feat that was achieved by the Mirai botnet last year, according to the Symantec ISTR report. The IoT-borne distributed denial-of-service (DDoS) attack (mainly waged by Mirai) on French hosting firm OVH last year was the largest DDoS attack ever, with a peak of 1 Tbps.

"We have misunderstood the IoT problem," Fey says of the industry. "What people don't fully appreciate about IoT security is how many of these devices are orphaned devices" sitting on the Net and vulnerable, he says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.
CVE-2018-1560
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a tr...
CVE-2018-1588
PUBLISHED: 2018-09-25
IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resourc...