Fresh solutions needed as ransomware gathers strength

In the last few months, ransomware (ransomware-as-a-service) attacks have clearly increased in strength. They consist in blocking the user's access to resources (documents, files, databases) and forcing a ransom in exchange for restoring the access. The estimated number of such attacks in 2019 increased by 118% compared to the previous year (McAfee Labs Threats Report 2019). Rather than encrypting data, today’s ransomware "shuffles" it, which allows for effectively bypassing most security measures, especially those based on entropy analysis.

Hackers are interested in almost every area of the virtual world where profits can be made. Apart from the health care sector, public sector or cloud services, hackers have traditionally targeted online banking. But gaining in notoriety are the stories about attacks on loyalty services – on points acting as a virtual currency.

Despite the fact that cyber-threats are a global phenomenon, the types of malware operating in a specific region of the world differ from each other. The popularity of a particular type of malware depends on the economic situation, political realities or culture.

In the APAC region, the popularity of backdoors and exploits that help take control of endpoints was noted for 2019 by Malwarebytes analysts. In the EMEA area and North America, said the analysts, the popularity of trojans has increased by 150% year to year. One of the most popular varieties was the Emotet trojan, which has been used to steal money thanks to the Man-In-The-Browser mechanism since 2014, gaining new functions along the way, such as:

- Automatic transfer mechanism

- Sending spam with links to fake websites (powerful phishing campaign in 2017)

- C&C module

The biggest threats against banking include malware installed on the client's station. A good example of this is Ramnit, first heard of in 2010. Since then, the software has evolved a lot, drawing on the published code of another well-known malware – Zeus. Today, it can take screenshots, help to launch a Man-In-The-Middle attack, steal cookies or passwords, and allows attackers to add exceptions to antivirus programs.

Ursnif, which was distributed as CAB files at the beginning of this year, has undergone a similar evolution. The software allowed for stealing financial data, accessing e-mail accounts and content, robbing wallets with crypto currencies, or executing remote commands (C&C server). It also has mechanisms that make it difficult to be detected by antivirus software.

The situation is equally serious in the case of mobile platforms, where most of the threats in 2019 were focused on the financial sector.

It was a difficult year for the iOS platform; in the first quarter alone, heavily exploited vulnerabilities in the Federation and IOKit components have surfaced, allowing for the escalation of privileges on iOS 12.1.4. Android was no better: experts from G Data estimate that every eight seconds a new virus for the system is published. In the first half of the year, the number of these viruses amounted to 1.85 million.

The most dangerous of the threats detected on Android this year was Triad. Pre-installed version of this malware was even detected in several cheap smartphone models. Triad is one of the most complex malicious modular applications that have been identified so far. It can bypass built-in Android security, steal data, or compile an encrypted channel with a C&C server. It is also very difficult to remove.

The way to fight the growing number of threats is, first of all, a proper way of designing, supervising and developing applications. According to Gartner's recommendation, good practices include:

- Enriching applications with a security layer through a dedicated SDK

- Use of guides and security checklists

- Architecture that reduces the risk of vulnerabilities (security by design)

- Use of wrappers to protect data against risks

- Code obfuscation and data encryption

- Application hardening (eg. boot protection on a rooted device)

- Verification of correlations linked

Following the practices above and strict adherence to the principles of secure code manufacturing is essential. Attack vectors change all the time. More and more often, they also affect shared libraries. This type of attack allows a criminal to incorporate an infected code into a legitimate client application and widely distribute vulnerabilities through the channels of a software vendor.

It is important that applications have mechanisms to monitor their performance, the state of the runtime environment and user behaviour (eg. Comarch tPro Mobile SDK). More and more popular are the solutions that let you test device reputation and run adaptive authentication. Thanks to constant analysis of applications, user behaviour and device status, it is possible to limit the use of the second factor to the necessary minimum.

MTD (Mobile Threat Defense) solutions allow for constant control both on the mobile device side as well as on the server side. Thanks to this, the parameters of the device can be correlated with the historical activity of the user. MTDs integrated with MDM (Mobile Device Management) and EMM (Enterprise Mobility Management) systems allowing for precise management of devices, privileges and mobile applications in the organization.

The subject of cyber security is so broad today that there is no single effective solution to ensure security. One should look for solutions that respond to specific risks and allow the user to prevent or minimize the effects of their occurrence.

The combination of MTD tools with tools for strong user authentication provides effective protection against most threats such as malware, phishing, MITM and MITB attacks. Threats such as ransomware must be tackled in a different way, eg. by continuous backup mechanisms (snapshots that allow for restoring data from before an unauthorized modification). Combining different products means covering a wider range of threats and risks.

Learn more at Comarch Cyber Security

Paweł Bułat is a product manager at Comarch, a global creator of innovative solutions and information systems.