Ransomware Trojans - security theme of the year

Every year on December 31, Kaspersky Lab experts go to the bath with friends to sum up. The results of the year consist of objective statistics from our cloud system, the Kaspersky Security Network, and a subjective selection of key security events and their assessment. Moreover, the subjective assessment is no less important than visual statistics of statistics on various types of attacks. In the predictions for 2016, special attention was paid to targeted attacks: our specialists gave them higher priority than high-class attacks using the most advanced cyber weapon. It’s all a matter of potential damage, and that it is possible to pick up the keys to protecting the company, even without using “malicious software” at all.

As a result, it turns out that there can be a great many types of attacks, and assessing them all in chorus, measuring the average temperature “at the hospital” will not work. Statistics provides only half of the understanding of the cyber threats landscape, the second half is the experience of specialists and its application to a specific set of software, hardware and people in a particular company or industry. The annual Kaspersky Security Bulletin implements this dichotomy regarding the final reporting period.

As usual, I recommend watching the full report: here and here . I want to discuss in detail two key topics: the development of ransomware Trojans and the measurement of the speed of response to incidents in real money.

Cryptolochers

Why the theme of the year? If the ransomware Trojans are evaluated on the standard scale of complexity or perfection of malicious code, they are hardly worthy of attention. Most cryptoscopes are extremely dull. They use conventional and usually easily blocked means of penetrating the victim’s computer. Often it is not even an exploit, but social engineering. Why did they even become a problem that affects everyone, anyway? The only difference between extortionists from traditional malicious software is money. Losing data is scary, but crypto-infection is either an instant loss of data or a quick loss of money. The development of cryptographs has become possible due to the development of anonymization technologies for both networking and payments, using cryptocurrencies. In the real world, extortion is easy to track down. In the virtual - very difficult. Kryptolkers bring real money, and are developed not by technology, but by a business model.
')
The report "Laboratories" well shows how they develop. In 2016, 62 new families of ransomware Trojans appeared, and the number of modifications increased several times: 2900 were recorded in January-March, 32000 in July-September.


Top 10 ransomware, most often attacking users in 2016.

Yes, there were extortionists with interesting technical solutions. The " Peter " Trojan did not bother with encrypting individual files, took the entire disk as a hostage. TeamXRat campaign brute force server passwords with further installation of the Trojan without the knowledge of the owner. The Shade Trojan variant analyzed the contents of the infected computer, and in the case of detection of banking software, switched to spy mode. But there was much more gloom, including copying texts demanding ransom, releasing new Trojans, mimicking old ones, and, as a reference example, the Hindu Trojan with errors .

But with the business model all is well. In the underground, there was a mass of affiliate programs that allow you to become on the slippery slope of cybercrime without much experience and knowledge.


For large businesses, cryptographs have never been a particular problem, but for small companies they have become a real headache. According to our data, 42% of small and medium-sized companies were attacked last year. 32% of the victims paid a ransom, of which 20% did not get access to the data even after payment.

Well and the main thing: with crypto-fiber it is clear how to fight. In terms of protection technologies, this is a well-known threat. The problem is to reach those who have not enough money to protect either money or knowledge. There are two ways: collective (police + security experts) initiatives to decipher data from victims of crypto-fiber, and more accessible software. For example, “Laboratories” this year released a free specialized solution to combat extortionists.

Cost of delay

Let's return to targeted attacks. Unlike extortionists, they are really difficult to calculate by general statistics: hacking methods are always different, targeting specific vulnerable points of the infrastructure, the damage is also different. This year we interviewed business representatives around the world and considered some kind of spherical cost of recovery after a cyber attack: it turned out a little less than 900 thousand dollars for large organizations and 86 thousand for small and medium businesses. A targeted attack, as expected, costs more, about $ 1.4 million for an incident with large organizations. But these are average numbers: specifically, in your company, an incident can “cost” in a completely different way.

Such general statistics do not explain the effectiveness of return on investment. In theory, if a company actively invests in security, it loses less in cyber attacks. Does this mean it will save about a million from each successful incident? Not necessary. Effective protection should generally be judged not by the absence of cyber attacks, but rather by the speed of response and the scale of the consequences. The annual report shows just such numbers. We divided the surveyed companies by typical incident detection time: from “hours” to “months”. And compared the average cost of recovery.


The difference (for large companies) is almost three times between “found right away” and “after a week or more.” Meanwhile, seven percent of companies had at least one incident, discovered only a few months later. Organizations that usually detect incidents are rather late rather than early, most often identifying a problem with an external or internal security audit.

So, the detection rate is not at all about the amount of installed security software, not about the quality of the perimeter defense and everything else. It is about the knowledge and the availability of specialists capable of applying this knowledge. Targeted attacks are an example of cyber threats, which, yes, can be prevented. But we must always be prepared for the successful penetration to occur. In this case, the sooner the problem is found, the cheaper it will cost the company - the above shows how much.

By the way, for the first time in the summer we raised this topic with the publication of a similar comparison of typical company losses from incidents, depending on their ability to find cool information security specialists. Correlation, on three different issues, similar:


Such is the translation of specialized knowledge into the bubble language. A good argument for the next conversation with the boss about budgeting. In such a context, kryptoloculars look like a small problem solved by a limited set of well-established tools. The trouble is that the modern landscape of threats consists of much more complex problems, some of them (for example, social engineering) are generally poorly solved by software. Judging by the predictions for 2017, the impact of non-standard cyber threats on business will only grow.