In the first half of 2016, we have seen the cybercrime marketplace move in the direction of making malware and exploit kits more easily available to those interested in carrying out cyber attacks.

Almost anyone can now purchase malware and various exploit kits, which are pretty much ready to use.

So far, 2016 has also brought new evolutions in ransomware, confirming many of the trends we anticipated at the end of last year, including the fine-tuning and enhancements of attack vectors. Other areas have evolved differently from what we expected, with encryption levels going as far as 4096-bit in the case of the still active CryptoWall and the defunct TeslaCrypt.

So looking towards the second half of 2016, here’s what should expect from the cybercrime industry if you are a CIO, CISO or a malware expert.

Starting from the beginning of the attack path, we foresee that cyber attacks will evolve in 3 main directions over the next 6 months or more:

  1. Refined delivery via email: advanced spam filter probing; incorporated statistics for delivery, open and click rates
  2. Advancing malware delivery via web channels: continuously enhanced exploit kits and delivery customized to breach specific endpoint defenses
  3. Substantially increased malware sophistication: intelligent ransomware, with supplemental DDOS capabilities.

Let’s first dive more into details about how malware delivery and online scams involving malicious software can evolve over the next half a year and beyond.

Refined delivery path via e-mail

Spam email is still the leading attack vector for malware distribution today, and it has evolved substantially over the past year.

Malicious spam accounted for 5 percent of total spam volume in 2015, down slightly from 6 percent the previous year, suggesting that the economic drivers for spamming malware are a little different from spam advertising magic pills and other dubious products.

Source: 2016 Trustwave Global Security Report

For example, phishing emails are now far better written and they’re also localized to make use of local languages in all evolved economies. This has severely increased the click ratio and efficiency of malicious spam emails and it has also reduced the spam filters’ capabilities to stop phishing and malware-laden emails, which often include attachments loaded with ransomware.

We expect that cybercriminals will continue to refine the messaging included in malicious spam. Additionally, attackers may begin to start probing the spam filters that specific companies employ, especially when targeting larger organizations.

This means that cybercriminals will prepare the email content, the subject line and select the email servers from the built-in dashboard that current malware-as-a-service often comes with. They might be also able to do a test send out to probe the potential effectiveness of a certain phishing campaign in a targeted company.

During the next step, attackers may become increasingly interested in measuring email delivery rates to see how well their phishing attack is able to avoid spam filters. Monitoring open rates and clicks rates will also become a more important factor to determine the impact of a certain type of messaging and improve it for enhanced effectiveness.

This is precisely the approach that any good email marketer has. Naturally, cybercriminals may soon start adopting these techniques, because it means they’ll get a better return on their investments.

Advancing malware delivery via web channels

The current market for web-based malware delivery methods is already highly evolved.

Neutrino, Angler, Magnitude and many other automated exploit kits constantly emerge and re-emerge in the wild, in various combinations with ransomware or other malware. We’ve often reported on them in our security alerts, as we’ve been tracking these exploit kits closely over the course of 2016 and prior to it.

So far, most of these EKs have targeted Flash, Java or other 3rd party applications in their automated malware delivery process. This trend will most likely continue to grow along its current line, but we also expect to see further developments here.

One of these developments can be that exploit kits will start to target even more 3rd party applications, which are commonly used and can provide remote execution capabilities. Another progress point could be that exploit kits will combine this with attempts to exploit low-level Windows vulnerabilities.

When it comes to new exploit kits and the web-based attacks they’re used in, we expect them to include:

  • Sandbox detection
  • Exploit code detection and circumvention
  • Mechanisms to scan the endpoint’s memory to spot active protection methods, mimicking how antivirus scans the computer’s memory for malware.


Substantially increased malware sophistication

When it comes to malware itself, we expect new levels of refinement to come to light in the second half of 2016. This may manifest especially in intelligent ransomware, which may start exhibiting DDOS capabilities that can slow down Internet access on both outbound and inbound connections.

Throughout 2015 and the first half of 2016, ransomware has really been the plague of CIOs, CISOs and network administrators.

Is this likely to change soon? Most likely not.

The cybersecurity industry is trying to catch up as quickly as possible with the new evolutions in malware, but malicious software evolves just as quickly to combat the new protection mechanisms that emerge.

In the first half of 2016, we saw malware evolve to specifically circumvent 2nd generation firewalls and evade new detection techniques provided in sandboxing products.

The second half of 2016 will be no different, but will most likely make it even more difficult for network administrators to keep their endpoints safe.

With the advancement of intelligent and automated ransomware attacks, we’ll see cryptoware using even more sophisticated email and web attack paths, as highlighted above. As a consequence, building adequate network defenses will become even more complicated.

5th generation ransomware

The fifth generation of ransomware is knocking on our doors. We expect the first couple of features to follow the lines of current exploit kits and bring forth automated capabilities to detect sandboxing protection and script execution protection.

Simple sandbox solutions aren’t enough though, because in many cases a piece of malicious code and an attack can happen over multiple stages, which makes detection and prevention more challenging, if your sandbox is just relying on a single object.

Source: Jens Monrad in “How to deal with the rising threat of ransomware

What may be different about future ransomware families is the ability to detect if there are any encryption protection tools in place on the targeted endpoint. These new cryptoware strains may also try to disable this specific protection layer, so they can advance towards their malicious objective.

Previously existing advanced malware have adopted these techniques, so it would be logical for ransomware to also include these features.

In terms of the ransomware’s encryption capabilities, future generations may maintain the same methods. But they could also try to interact more with the network and use it to spread across connected endpoints.

As attack paths become progressively specific, we also expect ransomware attacks to be far more researched and individually targeted in the near future. This could give them a greater ability to penetrate reactive defenses and perform network-wide attacks.

This means that network administrators, CISOs and CIOs will increasingly become targets. Not even they should customarily give their own accounts full network access.

We’d like to take this opportunity to strongly urge you to separate levels of access even more accurately and use different logins to manage your network’s security and perform other related tasks. Ransomware only needs one administrator’s credentials to spread across your entire network.

Intelligent ransomware with added capabilities

As part of the ransomware’s evolution, a new tactic could be engineered to allow the cryptoware to flood the outgoing network bandwidth both prior to and after encryption. This would enhance the threat and increase the pressure on network administrators to quickly restore the normal operation. This attack technique could be especially impactful in large organizations.

Intelligent ransomware with added capabilities

Many companies would be surprised to find how many of their machines are already part of botnets.

At its peak in 2011, Ponmocup controlled 2.4 million machines, according to researchers from Fox IT. It has by now likely raked in millions of dollars in stolen funds. Its success can be attributed to its regularly maintained and quality-tested infrastructure as well as its huge ecosystem of support, which may include 25 plugins and 4,000 individual variants.

Source: The state of botnets in late 2015 and early 2016

With botnets in the following countries having such a huge number of infections, one of your network’s endpoints is likely to already be infected. It would be relatively easy for cybercriminals to start flooding your Internet access lines and ask for a ransom to free them up.

The actual technique would, of course, require several machines on the network to be infected. This would be necessary in order to have one machine send the signal of the ransomware infection while having others clog up the line. This setup is similar to having a web-based Command and Control server for malware while having “zombies” on the infected network. In this case, both key infection vectors would be in the infected network itself.

This would be a further development to existing ransomware that would greatly increase the pressure on network administrators to fix the problems caused by cryptoware.

The 10 Worst Botnet Countries

Source: Spamhaus statistics

Final thoughts on how to be prepared at all times

There is no doubt that the market for malware is quickly evolving. We have here shared some of our thoughts on the challenges we expect to face over the next part of 2016.

We can affirm, with a rather high degree of certainty, that the 3 outlined attack paths will evolve quite fast, continuing the trend defined in the first half of 2016. The actual developments in ransomware are a bit more uncertain, and, for everyone’s sake, we hope will not become a reality.

Based on these projections, our recommendations for network administrators remain the same:

  • Focus on patching as a key proactive security layer – this can help you block 85% of targeted attacks, according to US-CERT;
  • Explore the benefits of traffic filtering as another proactive security measure that can help you stop incoming malware transfers and block data exfiltration;
  • Install and configure a reliable security solution on all your endpoints;
  • Focus on user education and ensure that all employees are familiar with baseline cybersecurity measures;
  • Employ a content scanning and email filtering solution to keep malicious spam emails from reaching your endpoints’ inboxes;
  • Ensure that your backup policy includes enough redundancy layers and maintains backed up data currency;
  • Deploy a security solution which provides real-time vulnerability intelligence, so you can protect the most vulnerable endpoints in your network before they’re exploited.

Additionally, we’d like to add a few other recommendations that you may want to look into:

  • Do not use your own login as a network administrator for managing the network;
  • Find tools which can monitor if your machines are already part of a botnet;
  • Check with your spam filter provider and find out how they work to avoid probing;
  • Keep yourself up to date by following some of the best security blogs out there.

The rule of thumb stays the same: learn and adapt or be hacked.


Leave a Reply

Your email address will not be published. Required fields are marked *