Beware of Emails Bearing Gifts

Crime gangs are building very legitimate-looking emails as cover for phishing and ransomware, and they are having enough success that the attacks are escalating.

In the first quarter of 2015, McAfee Labs registered a 165% increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, new ransomware families such as Teslacrypt and TOX, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor. Dell Secureworks believes the ransomware business truly pays, with CryptoWall reaching at least 1 million victims and collecting about $1.8 million in ransom.

The growth of ransomware is likely to continue to surge given the rise of new “business models,” the growing availability and ease of operation of newer ransomware kits, and the general increase in tactical sophistication. For instance, CTB-Locker possesses clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages. In the case of TOX, ransomware is going the way of other malware, delivered in turnkey ransomware packages, simplifying the development, launch, and ongoing operation of ransomware campaigns. And where fewer technical skills are required, you have an increase of less-skilled perpetrators getting into a cybercrime business.

Encouraged by their successes, attackers are reusing content and contacts as they cycle through their scams in an attempt to hook people. They have tested and learned the behavior of antivirus, firewalls, and sandboxes, and are using code that is stealthier, more careful, and more difficult to defend against. Malware downloaders are varied frequently to avoid signature-based detection. Ports, IP addresses, and URLs are continuously modified to slip past firewalls. The most advanced code is becoming sandbox-aware and stays out of sight if it suspects it is not on a real endpoint.

Connected Security Is Critical

With the number and sophistication of attacks increasing, what can you do to reduce the threat profile at your organization? What new product can you buy to increase your protection?

The reality is that no single cybersecurity product provides effective coverage for all cyberthreats, just like no one physical security technique defends against all physical threats. As battlefield threats become more sophisticated, frequent communication between the front line, commanders, intelligence officers, and special forces is necessary to detect and counter or correct threats.

Integrating links between antivirus, advanced threat detection, and other connected security tools will provide security pros in the cybertrenches more capable and adaptive defenses for these types of threats. A framework of connected security tools accomplishes this by sharing relevant security data across endpoints, gateways, and other security products, enabling incident response and preventing the compromise of one system from resulting in the compromise of many.

A recent attack campaign in Australia involving ransomware showed the benefits of using such a framework in real time. 

On the back of a legitimate looking parcel notification, a new variant of Cryptolocker was being installed on victims’ machines. The attack would start with a new malware variant that was evading most signature-based antivirus technologies. However, with a connected, adaptive security framework in place, an unknown and suspicious file on the endpoint was proactively sent to an advanced threat defense solution for decompiling and further analysis.

A mix of static code and dynamic analysis (sandboxing) on the suspicious file provided enough clues to detect the bad code and convict it as malicious.

First, the sample had some family classifications similar to other malware. Second, after decompiling we uncovered the capability to bypass proxy settings, search for specific file types, and exfiltrate the data. Finally, monitoring the behavior, we saw that it was using the same infrastructure as a known Trojan called Upatre, which is associated with botnets, ransomware, and banking fraud.

Having identified a new malware variant, the connected, adaptive security framework initiated a number of responses to correct the unwanted behavior. The endpoint systems began scanning to find out where the file had run or was still running, stopping the malicious processes or preventing the convicted file from executing. The first PC to see the ransomware may be in trouble, but the rest of the organization was protected.

Once resolved in one location, the organization’s advanced threat defense provided local threat intelligence on the largely unknown Upatre malware variant to the rest of the global organization. And with up-to-date reputation capabilities, all other systems across the organization were able to deny Upatre based on policy.

Phishing and ransomware attacks are hardly new, but the rapid changes in malware code and the legitimate-looking emails are making it harder for both users and antivirus programs to detect the surprise waiting at the other end of the link. No single security solution provides an adequate defense. When malware can sneak through a network firewall, lie low to trick a sandbox, and evade endpoint antivirus, a thorough defense requires the combined resources of a security-connected framework.