Number of Ransomware Domains Grew 3500% in Q1 2016

The number of ransomware domains created in the first quarter of 2016 jumped by 3500% compared to Q4 2015, according to research by network control company Infoblox.

The firm’s Infoblox DNS Threat Index, a quarterly indicator of malicious activity worldwide exploiting the Domain Name System (DNS), hit an all-time high of 137 - an increase of 7% from the already elevated level of 128 in the prior quarter.

Additionally, exploit kits were revealed to be the biggest threat, accounting for just over 50% of the overall index.

Rod Rasmussen, vice-president of cybersecurity at Infoblox, said: “There has been a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, small-dollar heists targeting consumers to industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises. The threat index shows cyber-criminals rushing to take advantage of this opportunity.”

Ransomware regularly traps both companies and general internet users alike, with victims often seeing no alternative but to pay up to avoid losing precious data. Of course, there is no guarantee that, even once the ransom has been paid, the hackers will actually decrypt the files – so it can leave victims in a desperate position if they are not prepared for such an attack.

Ben Johnson, chief security strategist at Carbon Black, told Infosecurity it comes as no surprise that we’ve seen such a significant rise in ransomware in recent times.

“Attackers know very well the far-reaching effects that ransomware can have on all types of organizations,” he said. “More importantly, they know that most organizations are willing to pay money to ‘get back to normal’.

“Attackers realize this overwhelming leverage and, since they have very little empathy, are increasingly targeting vulnerable organizations and people,” he added.

Interestingly, whist the US remains the top host for newly created or exploited malicious domains accounting for 41% of the observations, Infoblox discovered that Portugal (17%), Russian Federation (12%), the Netherlands (10%), UK (8%) and Iceland (6%) all saw major increases in activities.

“Cyber-criminals are as likely as anyone else to take advantage of sophisticated infrastructure, and all of the countries in this quarter’s list fit that description,” said Lars Harvey, vice-president of security strategy at Infoblox. “But the geographic spread shows that much like cockroaches that scurry from the light, cyber-criminals are quick to shift to a more advantageous location as needed.”

Johnson added that the conversation of how to best deal with ransomware is likely to continue for some time and suggested we are yet to truly see the full scale of the ransomware problem since many organizations are simply paying the money and staying quiet about it. 

However, there are steps that companies can take to put themselves in the strongest possible position to defend against it.

“These tailored attacks require tailored defenses and many organizations are still relying on traditional anti-virus to protect their enterprises,” he said.

“There are things organizations can do to make themselves harder targets. For one: stop relying on anti-virus alone to protect endpoints, a more sophisticated approach is needed. Whitelisting, whereby a threat is assessed against a set of policies and common characteristics to see if there is a likely issue, can help to spot this type of malware even if it has never appeared before. This should then be combined with broader threat intelligence, where you can see if a particular file has ever been seen before; if it hasn’t, then it is likely to be zero-day and hazardous. This allows organizations to get smarter about security and avoid falling into these sort of traps.”

What’s Hot on Infosecurity Magazine?