Non-malware attacks are on the rise
Security pros need to pay attention to malicious activities that do not rely on actual malware to succeed, according to a study by Carbon Black.
Attacks that exploited applications and processes legitimately running on systems – non-malware incidents – have risen from representing about 3% of all attacks in January to about 13% in November, the company’s “Non-malware attacks and ransomware take centre stage in 2016,” the report says.
“Non-malware attacks are at the highest levels we have seen and should be a major focus for security defenders during the coming year.”
A thousand voices
The research included data from more than 1,000 Carbon Black customers that represent 2.5 million-plus endpoints. For measuring the non-malware attacks, the authors considered the malicious use of PowerShell and Windows Management Instrumentation were considered.
“Non-malware attacks typically do not require downloading additional malicious files and are capable of conducting extremely nefarious activities such as stealing data, stealing credentials, and spying on IT environments,” the report says.
One example is PowerWare, which uses PowerShell to download and execute ransomware on victim machines. Using PowerShell helps keep the attack under the radar because it is a legitimate Windows utility whose use wouldn’t necessarily raise alarms. Similarly, Windows Management Instrumentation (WMI) is also used to deliver attacks because it, too, is a legitimate utility.
In considering these attacks, Carbon Black separates out what it calls severe non-malware attacks, and says there have been 33% more of them so far in the fourth quarter of this year than in the first. The report says a third of organisations will run into such attacks in a 90-day-period.
The report defines “severe” as attacks including suspicious command lines and delivering executable code directly to PowerShell. These assaults also show additional malicious techniques such as executing dynamically delivered shellcode, reading memory of other processes, or injecting into other running processes.
Ransomware on the rise
The report also addresses the rise of ransomware attacks against businesses. They have grown by 50% compared to last year, the report says, and the criminals behind them are on track to pull in $850 million (€813 million), up from $24 million (€23 million) last year.
“Ransomware has emerged as the fastest-growing malware category across all industries in 2016, with major increases seen at technology companies, energy/utility companies and financial organisations since 2015,” the report says.
In addition to becoming more widespread, ransomware attacks are becoming better coordinated. For example, a ransomware attack on the San Francisco Municipal Transportation Agency last month hit 2,000 machines at once, Carbon Black notes.
Locky has been particularly effective. This strain accounted for a quarter of all ransomware attacks in 2016, making it the top ransomware family, yet it wasn’t even in the top five most used schemes used in 2015. It has also been upgraded throughout the year so it can now be spread through Facebook and instant messaging.
IDG News Service