Ransomware up 165% in Q1 2015, new Intel Security report says

There has been a 165% increase in new ransomware in the first quarter of 2015 from Q4 2014, largely due to the proliferation of the hard-to-detect CTB-Locker ransomware family, according to an Intel Security report released on Tuesday.

The McAfee Labs Threats Report: May 2015 said that McAfee Labs registered a 165% increase in new ransomware, mainly driven by the CTB-Locker family, a new ransomware family called Teslacrypt and the emergence of new versions of CryptoWall, TorrentLocker and BandarChor. [click image below to enlarge]

As a type of malware, ransomware is so called because it restricts access to the computer system it infects and demands a ransom be paid to the creator of the malware to remove the restriction.

“McAfee Labs attributes CTB-Locker’s success to clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages,” Intel Security said in a press release.

Half of CTB locker victims were in North America.

In addition to the rapid proliferation of CTB-Locker, the first quarter also saw new Adobe Flash malware samples increase by 317% from Q4 2014 “as attackers shift focus from Java archive and Microsoft Silverlight vulnerabilities to exploit unpatched Adobe Flash vulnerabilities.” Researchers attributed the increase to several factors: the popularity of Adobe Flash as a technology; user delay in applying available Adobe Flash patches; new methods to exploit product vulnerabilities; a steep increase in the number of mobile devices that can play Adobe Flash files (.swf); and the difficulty of detecting some Adobe Flash exploits.

A total of 42 new Adobe Flash vulnerabilities were submitted to the National Vulnerability Database in Q1. But on the same day those vulnerabilities were posted, Adobe made initial fixes available for all 42 vulnerabilities, the report noted. [click image below to enlarge]

“With the popularity of a product like Flash, there comes a tremendous responsibility to proactively identify and mitigate security issues potentially threatening millions of users,” said Vincent Weafer, senior vice president, McAfee Labs, in a statement. “This research nicely illustrates how the tech industry works together constructively to gain an advantage in the realm of cybersecurity – industry partners sharing threat intelligence, and technology providers acting on information quickly to help prevent potential issues.”

To fully leverage vendor efforts to address vulnerabilities, McAfee Labs urged organizations and individual users to be “more diligent in keeping their products updated with the latest security patches.” [click image below to enlarge]

The report also discussed “the efforts by a secretive outfit called Equation Group” to exploit hard disk drive (HDD) and solid state drive (SDD) firmware. McAfee Labs assessed the reprogramming modules exposed in February and found that they could be used to reprogram the firmware in SSDs in addition to the previously-reported HDD reprogramming capability. “Once reprogrammed, the HDD and SSD firmware can reload associated malware each time infected systems boot and the malware persists even if the drives are reformatted or the operating system is reinstalled,” the statement warned. “Once infected, security software cannot detect the associated malware stored in a hidden area of the drive.”

Weafer said that the Equation Group firmware attacks “rank as some of the most sophisticated threats of their kind. While such malware has historically been deployed for highly-targeted attacks, enterprises should prepare themselves for the seemingly inevitable ‘off-the-shelf’ incarnations of such threats in the future,” he cautioned. [click image below to enlarge]

The report identified a number of other developments in the first quarter of 2015:

• PC Malware Growth. The first quarter saw a slight decline in new PC malware, a development primarily due to the activity of one adware family, SoftPulse, which spiked in Q4 2014 and returned to normal levels in Q1 2015. The McAfee Labs malware “zoo” grew 13% during that time, and now contains 400 million samples;

• Mobile Malware. The number of new mobile malware samples jumped by 49% from Q4 2014 to Q1 2015; and

• SSL-Attacks. SSL-related attacks continued in Q1 2015, although they tapered off in number relative to Q4 2014. “This reduction is likely the result of SSL library updates that have eliminated many of the vulnerabilities exploited in prior quarters,” the report said, adding that Shellshock attacks are still quite prevalent since their emergence late last year.