Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/1/2016
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Ransomware Domains Up By 3,500% In Q1

Cybercriminals know a good thing when they see it.

In just one quarter, researchers have observed a 35-fold jump in new domains created for ransomware. The recent surge means that ransomware-related domains now account the majority of new domains related to malware (excluding exploit kits), according to the new report by Infoblox.

Infoblox partly attributes the burst of new ransomware activity -- and actors -- to the fact that it has already proven to be so successful. "What has changed ... over the past quarter or two is a shift from small-money heists targeting consumers to larger, more profitable attacks on commercial entities," the report states. The biggest culprit: Locky, the ransoware that was reportedly responsible for the costly attack on a Los Angeles hospital.

Despite the huge leap in ransomware, neither it alone nor even the entire malware category account for the most malicious domains. That prize goes to exploit kits -- which beat out malware, phishing, DDoS, and data exfiltration attack-related domains for the dubious honor. Exploit kits account for nearly 50% of Infoblox's DNS Threat Index, which measures the level of malicious domain creation, excluding domain generation algorithms and sub-domain resellers.

Angler remains the top dog of the exploit kits (for seven quarters running), but RIG jumped to second place, and Neutrino, which has always hovered near the bottom of the pile, tripled its share of the EK market (18%).

Infoblox's last noteworthy finding was that "much like cockroaches that scurry from the light, cybercriminals are quick to shift to a more advantageous location as needed." Meaning in this case that criminals have shifted the physical location of much of their malicious DNS infrastructure. Although the lion's share continues to be in the US (though it has dropped), nearly all of the infrastructure has been moved out of Germany -- dropping from about 20%  to less than 2%. In its place, Portugal, the Netherlands, the United Kingdom, Iceland, and the Russian Federation, now collectively account for half of the malicious infrastructure. 

Related Content:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
defenderAlex
50%
50%
defenderAlex,
User Rank: Apprentice
12/6/2016 | 5:40:00 AM
locky ransomware
Given the fact how quickly changes Locky ransomware, I think soon he will come to the fore. And that's bad news. Necessary preventive measures and backup!
theb0x
100%
0%
theb0x,
User Rank: Ninja
6/3/2016 | 10:55:32 AM
That's not that much...
Because the fact that the domain registration process can be completely scripted and automated this does not shock me at all.
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.