Ransomware domains in massive increase in Q1 of 2016

Explosion in ransomware drives Infoblox DNS Threat Index to an all-time high

Tags: Infoblox (www.infoblox.com)United Arab Emirates
  • E-Mail
Ransomware domains in massive increase in Q1 of 2016 Rasmussen notes a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, small-dollar heists to industrial-scale, big-money attacks.
By  David Ndichu Published  June 2, 2016

The first quarter of 2016 witnessed a 35-fold increase in newly observed ransomware domains from the fourth quarter of 2015, the Infoblox DNS Threat Index for the period shows.

This dramatic uptick helped propel the overall threat index, which measures creation of malicious Domain Name System (DNS) infrastructure including malware, exploit kits, phishing, and other threats, to its highest level ever.

Ransomware is a relatively brazen attack where a malware infection is used to seize data by encrypting it, and then payment is demanded for the decryption key. According to Rod Rasmussen, vice president of cybersecurity at Infoblox, “There has been a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, small-dollar heists targeting consumers to industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises. The threat index shows cybercriminals rushing to take advantage of this opportunity.”

The FBI recently revealed that ransomware victims in the United States reported costs of $209 million in the first quarter of 2016, compared to $24 million for all of 2015. High-profile Q1 ransomware incidents include the February 2016 attack on Hollywood Presbyterian Medical Center in Los Angeles and the March 2016 breach at MedStar Health in Washington D.C.

The Infoblox DNS Threat Index hit an all-time high of 137 in Q1 2016, rising 7 percent from an already elevated level of 128 in the prior quarter, and topping the previous record of 133 established in Q2 2015.

The Infoblox DNS Threat Index tracks the creation of malicious DNS infrastructure, through both registration of new domains and hijacking of previously legitimate domains or hosts. The baseline for the index is 100, which is the average for creation of DNS-based threat infrastructure during the eight quarters of 2013 and 2014.

The United States continues to be the top host for newly created or exploited malicious domains, accounting for 41 percent of the observations, a significant drop from last quarter’s 72 percent lion’s share. Five other countries and regions saw major increases in activities:

Portugal at 17 percent; Russian Federation at 12 percent; Netherlands, 10 percent; the UK at 8 percent; and a surprise entry in the form of Iceland at 6 percent.  

Germany, which last quarter accounted for almost 20 percent of newly observed malicious domains and related infrastructure, nearly dropped off the list at less than 2 percent.

“Cybercriminals are as likely as anyone else to take advantage of sophisticated infrastructure, and all of the countries in this quarter’s list fit that description,” said Lars Harvey, vice president of security strategy at Infoblox. “But the geographic spread shows that much like cockroaches that scurry from the light, cybercriminals are quick to shift to a more advantageous location as needed.”

Exploit kits remain top threat

Exploit kits—toolkits for hire that make cybercrime easier by automating malware creation and delivery—remain the biggest threat, accounting for just more than 50 percent of the overall index. As in past quarters, Angler remains the most used exploit kit, but a new contender has emerged from far back in the pack: observations of Neutrino grew by 300 percent. Angler is notorious for pioneering the “domain shadowing” technique used to defeat reputation-based blocking strategies, and for infiltrating malicious URLs into legitimate ad networks, taking visitors to websites that insert malware even if they don’t click on the infected ads. Various iterations of recent Neutrino campaigns have been observed to infect victims’ systems with various versions of ransomware such as Locky, Teslacrypt, Cryptolocker2, and Kovter.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code