Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2017
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Web Attacks Decline, Ransomware Attacks Surge

Symantec's annual Internet Security Threat Report data shows how attacks last year directly targeted end users, and became more efficient and lucrative.

These new stats shed some light on what happens when cyberattackers inch closer to their intended victims: Web attacks dropped by more than 30% last year, and ransomware attack attempts jumped by 36%.

That's just one of the findings in Symantec's newly published Internet Security Threat Report for 2016, which also shows a continued dip in the total number of data breaches to 1,209 in 2016, from 1,211 in 2015, and 1,523 in 2014. This trend demonstrates how attackers have become more seasoned in automating their attacks - and more efficient, according to Michael Fey, president and COO of Symantec. That also dovetails with attackers targeting the endpoint directly rather than waiting for users to visit a compromised website, he says.

"It's so much easier to make a direct connection with your target. You used to have to be tigers waiting around the watering hole, but now they go find their prey and don't just wait for them," Fey says. "Thanks to social media and the way we scream to the world who we are and what we care about that can be mined, the need to sit on a Web platform is reduced. [Website attacks] still work, but there are alternate ways to a more deliberate path."

The dip in total breaches is a combination of organizations doing a better job of reducing the amount of data that's at risk, and the fact that attackers have more automated methods of stealing information, he says. They can wage more focused and deliberate attack campaigns and be relatively confident that users will indeed click on malicious attachments, for example.

Web attacks are not dead, however: Symantec says there was an average of some 229,000 such attack attempts detected each day last year, and 76% of websites had bugs, 9% of which were critical.

But 2016 was ransomware's coming-out party: while it's been around for a while, the method of locking victims out of their data until they paid a ransom now has become a popular and lucrative way for criminals to make money. Symantec detected 463,000 cases of ransomware last year, up from 340,000 in 2015; the daily average hit 1,539 detections per day, up from 846. And the average ransom surged from $294 in 2015 to a whopping $1,077 last year.

Cybercriminals are cranking out new variants of ransomware at a rapid clip. Symantec counted 101 ransomware families in 2016, up from 30 in 2015 and 2014. According to Symantec, that means more attackers are employing ransomware and creating new families or modifying existing ones. Consumers still represent about 70% of all ransomware infections, but businesses increasingly are becoming targets.

"We've seen government institutions condone paying [ransom], and we've seen government leaders talk about how that's a bad thing. So there are mixed messages all over the place," which makes it more confusing and difficult for victims to properly respond and defend from ransomware attacks, Fey says.

Ransomware victims paying their attackers isn't helping, either, but the situation is fraught: "If you pay $29,000 to unlock your data, are you feeding a bigger problem?" Fey says. "If an organization sent money directly to terrorists we'd all condemn them and shut them down. But when a hospital's patients' critical data is held for ransom, I'm not sure I have the same opinion anymore" against paying the ransom like in a terrorist scenario, he says.

Meantime, 15 breaches in 2016 exposed more than 10 million identities, a slight increase from 13 in 2015, and 11 in 2014. Overall in the past eight years, some 7.1 billion identities have been exposed worldwide, the report shows.

Fey says that's another data point that demonstrates how attackers are becoming more efficient. "And they are getting to the outcome faster," he says.

Speaking of efficiency, it now takes attackers just two minutes to attack an Internet of Things device – a feat that was achieved by the Mirai botnet last year, according to the Symantec ISTR report. The IoT-borne distributed denial-of-service (DDoS) attack (mainly waged by Mirai) on French hosting firm OVH last year was the largest DDoS attack ever, with a peak of 1 Tbps.

"We have misunderstood the IoT problem," Fey says of the industry. "What people don't fully appreciate about IoT security is how many of these devices are orphaned devices" sitting on the Net and vulnerable, he says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16395
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.
CVE-2019-16396
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.