Ransomware exploits are targeting enterprise users on deeper, less-detectable levels, and have generated nearly $34 million USD annually, says this year’s Cisco Mid-Year Cybersecurity Report, which came out in late July. Enterprise users appear to have become the target of choice for ransomware-wielding cybercriminals, with exploit kits able to take advantage of vulnerabilities in Adobe Flash, giving them faster propagation which increases the chances of hackers being able to generate larger amounts of revenue.
Below are some of the key findings in the Cisco Report, which include:
- Cyberattackers are being provided with exploitable vulnerabilities in the Enterprise application software JBoss, giving them a new vector from which to launch ransomware campaigns. Servers are left more vulnerable to attacks thanks to JBoss-type compromises.
- Cisco security researchers observed a fivefold increase in HTTPS traffic related to malicious activity from September 2015 to March 2016. The rise in this type of web traffic can be attributed largely to malicious ad injectors and adware. Threat actors have increased their use of HTTPS-encrypted traffic to conceal their activity on the web and expand their operating time.
- A small yet growing number of malware examples show that bad actors (infiltrators) are using Transport Layer Security (or TLS, the protocol used to provide encryption for network traffic), to hide their activities. This is a cause for concern among security professionals since it makes deep-packet inspection ineffective as a security tool.
- Cisco researchers examined a sample set of their own devices to establish the ages of known vulnerabilities running on fundamental infrastructure. They reported that 23% of those devices had vulnerabilities dating from 2011; nearly 16% had vulnerabilities that were first published in 2009. This underscores the security risks that organizations themselves unwittingly create by not patching vulnerable operating systems.
- Authors of exploit kits are always seeking ways to evade security defenses and are very creative in their efforts. One example recently observed by Cisco researchers involved the Nuclear exploit kit. The kit, which typically “drops” ransomware variants, was observed delivering a variant of Tor, the software used for anonymous communication. This tactic appears to be a method for anonymizing the eventual malicious payload, therefore making the activity more difficult for defenders to track.
For Better Cybersecurity Defense
The Cisco Report named some ways organizations can and should take action to start improving their cyber defenses against ransomware exploits. Some recommendations include:
- Implement and test an incident response plan (and/or data recovery assurance) that will enable a quick return to normal business operations following a ransomware attack.
- Don’t blindly trust HTTPS connections and SSL certificates, get better authentication methods.
- Move quickly to patch published vulnerabilities in software and systems, including routers and switches that are the components of critical Internet infrastructure.
- Educate users (employees, in many cases) about the threat of malicious browser infections and their consequences.
What Does It All Mean?
It’s time to rein-in our usual Web-browsing habits and batten down the cyber-hatches. Turn on ad blockers and script blockers; follow the findings in the Cisco Report to the letter, and implement response plans and employee education and training that will discourage wanton behaviors online that encourage the opportunist hackers working around the clock to exploit any weakness in your company network’s defenses.
Cisco security researchers said that, based on trends and certain advances observed to date, they anticipate that self-propagating ransomware is the next step for exploit innovators. They urge users to take steps now to prepare for attackers’ use of JBoss back doors (as they did earlier this year) to launch ransomware campaigns against organizations in the healthcare industry — a strong reminder that adversaries, when given half a chance, will find new methods by which to compromise networks and users.