Reviewing the most significant cyber events in 2016, we see several key inflection points that will influence how attack campaigns will be implemented during the next several years. These inflection points helped focus our analysis as we developed the McAfee Labs 2017 Predictions report.
Three months into 2016, people and businesses all over the world began to feel the impact from the increasing volume and intensity of ransomware. As reported by McAfee Labs, we saw a 116% year over year increase in the total number of ransomware samples. This increase was driven by three elements: the transition to an affiliate business model by some of the ransomware authors; continued development of powerful exploit kits such as Angler used by these campaigns; and the intensity and effectiveness of spam bots such as Dridex used to target potential victims.
The structural element that underpins the success of ransomware campaign is surprisingly not the malware itself, but rather the ability to distribute the payment sites and associated Bitcoin wallets across thousands of locations using the TOR server network. This makes it much harder for law enforcement, financial regulators, and industry researchers to track payments back to the attackers. In short, anonymizing networks reduce the financial and legal risks for attackers.
Also in early 2016, McAfee Labs saw a very different type of ransomware attack that targeted hospitals and the healthcare industry. Although these attacks shared some of the same characteristics of broad-based ransomware attacks in how they encrypted and held for hostage key data, the attack profiles in these campaigns were far more like data breach events in how they found, exploited, and traversed targeted enterprise networks. The initial stage in these attacks was a search for vulnerabilities on externally facing services (for example, JBoss vulnerabilities). After successful infiltration, the attackers obtained access to internal networks, established a presence, and in effect implemented a “go anywhere else do anything else” pattern of attack on the networks.
The theme of targeting whole industry sectors by seeking common exploitable services or supply chain exposures came up multiple times during 2016 and represents another example of changing attack patterns. Attacks targeted the hospitality and leisure industries, and a series of attacks went after payments run through the SWIFT interbank messaging system—including the $81 million heist from the Bank of Bangladesh on March 10. The malicious code used against the Bank of Bangladesh shares many similarities to code used in prior data breach attacks, including the 2014 attack against Sony Pictures. The SWIFT malware used in the attacks was tailored to the environment of the victim. Data appeared to have come from someone with insider knowledge of the industry or specific financial institutions. The effect of the SWIFT case had a ripple effect and more insider attacks at other banks were discovered.
Later in 2016, we witnessed instances of attacks motivated by a desire to do reputational damage to their victims. Multiple attacks were carried out against various national and international organizations during the Olympics, including July attacks against the World Anti-Doping Agency and US political parties. Unlike traditional attacks that seek access to financial or personal data for financial gain, these attacks were designed to expose organizational or personal secrets. These secrets were frequently contained in email messages, that is, in unstructured data sets. Many companies do not spend enough time doing risk assessment or putting in place effective data protection plans to protect unstructured data.
As we now look to predictions for 2017, we pick up some of those same themes, including a prediction that the increase in ransomware campaigns will start to subside in the second half of 2017. The maturing of campaign types is a natural cycle (we saw this in the mid-2000s with adware and spyware campaigns) that comes from the combined result of more effective protection technologies being deployed in the field along with concerted global efforts by law enforcement and industry researchers to shut down key structural elements of the campaigns.
In our 2017 predictions report, we also discuss two trends that will shape the types of attacks we will see in the future. The first is the increasing use of of machine learning, data aggregation, and data analytics by attackers to create broad based, but highly customized attacks. The second is the increasing impact of attacks against and leveraging the Internet of Thing (IoT) devices. In 2016, we saw multiple high-intensity attacks against journalists and internal core infrastructure providers using “IoT cannons” with capacities measured at 665Gb of traffic per second and capable of going well beyond 1Tb per second. These attacks were partially launched from the Mirai botnet, which controlled hacked IoT devices—routers, IP cameras, and digital video recorders—and exploited their weak security posture, especially those with fixed or default passwords. We will see many more attacks exploiting weak IoT security and, given the sheer number of IoT devices expected to be deployed during the next five years, their influence on shaping the overall threat landscape will continue to grow significantly. The one safe prediction is that 2017 will prove to be yet another “interesting” year for cyber events and cyber security.