News & Update
The Ransomware Evolution: What is Happening in Europe?
The Ransomware Evolution: What is Happening in Europe?

The Ransomware Evolution: What is Happening in Europe?

The European situation as shown by the Cisco 2018 Security Capabilities Benchmark Study (SCBS), compiled through interviews given by 956 CISOs in 8 European countries, reveals that the average percentage of alerts that are investigated is 57% overall, compared to 72% in Russia and 53% in the USA. This means that in Europe 43% of alerts are not investigated, meaning that many legitimate alerts are unremediated.

Source: Cisco 2018 Security Capability Benchmark Study

Why? One reason appears to be the lack of headcount and trained personnel who can facilitate the demand to investigate all alerts. According to the SCBS:

- 27% of the companies interviewedpointed to a shortage of qualified personnel as one of the main obstacles in adopting advanced cyber security technologies.

- Of the alerts deemed legitimate, 51% are remediated.

On the other side, adversaries are taking malware to unprecedented levels of sophistication and impact according to the Cisco Annual Security Report.

The evolution of malware was one of the most significant developments in the attack landscape in 2017. The advent of network-based ransomware cryptoworms eliminated the need for the human element in launching ransomware campaigns. And for some adversaries, the prize isn’t ransom, but obliteration of systems and data, as Nyetya - wiper malware masquerading as ransomware - proved.

In 2017, adversaries took ransomware to a new level - although it had been expected. After the SamSam campaign of March 20161 - the first large-scale attack that used the network vector to spread ransomware, thereby removing the user from the infection process - Cisco threat researchers knew it would only be a matter of time before threat actors found a way to automate this technique. Attackers would make their malware even more potent by combining it with “worm-like” functionality to cause widespread damage.

This malware evolution was swift. In May 2017, WannaCry - a ransomware cryptoworm - emerged and spread like wildfire across the Internet.

Nyetya arrived in June 2017. This wiper malware also masqueraded as ransomware.  Nyetya was deployed through software update systems for a tax software package used by more than 80 percent of companies in the Ukraine, and installed on more than 1 million computers.

Before the rise of self-propagating ransomware, malware was distributed in three ways: drive-by download, email, or physical media such as malicious USB memory devices. All methods required some type of human interaction to infect a device or system with ransomware. With these new vectors being employed by attackers, an active and unpatched workstation is all that is needed to launch a network-based ransomware campaign.

Security professionals may see worms as an “old” type of threat because the number of worm-like Common Vulnerabilities and Exposures (CVEs) has declined as product security baselines have improved. However, self-propagating malware not only is a relevant threat, but also has the potential to bring down the Internet, according to Cisco threat researchers. WannaCry and Nyetya are only a taste of what’s to come, so defenders should prepare.

How are companies in Europe dealing with the increased sophistication and impact of malware?

There are a number of security improvements that defenders can make to reduce their exposure to emerging risks. One trend that we are seeing is the increasing reliance on automation, machine learning and artificial intelligence by organisations.  In fact, according to the 2018 Security Capabilities Benchmark Study, 72% of European organisations rely on machine learning to reduce the effort needed to secure their environments. Technology can be a great ally in reducing the burden of managing complex IT security infrastructures.

An example is Cisco Cognitive Threat Analytics, which pinpoints attacks before they can exfiltrate sensitive data. It analyzes web traffic, endpoint data from Cisco AMP for Endpoints, and network data from Cisco Stealthwatch Enterprise. It then uses machine learning to identify malicious activity.

Another example of the use of machine learning is by the industry-leading threat intelligence team, Cisco Talos. With over 250 researchers, Talos detects and responds to threats in real time.  They analyse 1.5 million samples of malware and 600 billion emails. The first step is automated analysis like artificial intelligence and machine learning to eliminate the majority of the threats. They then bring in a second layer of specialized tools and the last part of the funnel is humans – to solve the complex problems. They have over 250 threat researchers around the world with expertise in hardware, malware analysis, vulnerability research, and more. The outcome is the ability to be able to block 20 billion threats daily.

High standards in cyber security can boost agility, improve operations and encourage innovation to become a business growth driver. As the CISO of Ibermutuamur, María de la Peña sees it,“Every incident avoided justifies in itself the use of advanced protection systems”.

https://blogs.cisco.com/security/the-ransomware-evolution-what-is-happening-in-europe