Intel Security

McAfee Labs Report Sees New Ransomware Surge 165 Percent in First Quarter of 2015

Report Reveals Massive Growth in New Ransomware and Praises Adobe Security Team’s Speed in Addressing 42 Adobe Flash Vulnerabilities in Q1 2015

News Highlights:

  • New ransomware surges 165 percent in Q1 2015 largely due to proliferation of the CTB-Locker family and its “affiliate” program, a new ransomware family called Teslacrypt, and new versions of CryptoWall, TorrentLocker and BandarChor
  • New Adobe Flash malware grows 317 percent as attackers shift focus from Java archive and Microsoft Silverlight vulnerabilities to exploit un-patched Adobe Flash vulnerabilities
  • Adobe Security Team  provides patches to all 42 new Adobe Flash vulnerabilities on the same day they are submitted to the National Vulnerability Database
  • New details about Equation Group firmware attacks using hard disk drive (HDD) and solid state drive (SSD) reprogramming technologies

SANTA CLARA, Calif. June 9, 2015 — Intel® Security today released its McAfee Labs Threats Report: May 2015, which includes revelations on the rapid proliferation of new ransomware, HDD and SSD firmware attacks by the Equation Group computer espionage group, and a major increase in malware targeting Adobe Flash multimedia software.

In the first quarter of 2015, McAfee Labs registered a 165 percent increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, a new ransomware family called Teslacrypt, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor. McAfee Labs attributes CTB-Locker’s success to clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages.

McAfee Labs suggests organizations and individuals make it a priority to learn how to recognize phishing emails, including the use of tools such as the Intel Security Phishing Quiz: Phishing Quiz Link

The first quarter also saw new Adobe Flash malware samples increase by 317 percent, researchers attribute the rise to several factors: the popularity of Adobe Flash as a technology; user delay in applying available Adobe Flash patches; new methods to exploit product vulnerabilities; a steep increase in the number of mobile devices that can play Adobe Flash files (.swf); and the difficulty of detecting some Adobe Flash exploits. Researchers are seeing a continued shift in focus among exploit kit developers, from Java archive and Microsoft Silverlight vulnerabilities to Adobe Flash vulnerabilities.

Forty-two new Adobe Flash vulnerabilities were submitted to the National Vulnerability Database in Q1. On the same day those vulnerabilities were posted, Adobe made initial fixes available for all 42 vulnerabilities.

“With the popularity of a product like Flash, there comes a tremendous responsibility to proactively identify and mitigate security issues potentially threatening millions of users,” said Vincent Weafer, senior vice president, McAfee Labs. “This research nicely illustrates how the tech industry works together constructively to gain an advantage in the realm of cybersecurity – industry partners sharing threat intelligence, and technology providers acting on information quickly to help prevent potential issues.”

To fully leverage vendor efforts to address vulnerabilities, McAfee Labs urges organizations and individual users to be more diligent in keeping their products updated with the latest security patches.

In February 2015, the cybersecurity community became aware of efforts by a secretive outfit called Equation Group to exploit HDD and SSD firmware. McAfee Labs assessed the reprogramming modules exposed in February and found that they could be used to reprogram the firmware in SSDs in addition to the previously-reported HDD reprogramming capability. Once reprogrammed, the HDD and SSD firmware can reload associated malware each time infected systems boot and the malware persists even if the drives are reformatted or the operating system is reinstalled. Once infected, security software cannot detect the associated malware stored in a hidden area of the drive.

“We at Intel take hybrid software-hardware threats and exploits seriously,” continued Weafer. “We have closely monitored both academic proofs of concept and in-the-wild cases of malware with firmware or BIOS manipulation capabilities, and these Equation Group firmware attacks rank as some of the most sophisticated threats of their kind. While such malware has historically been deployed for highly-targeted attacks, enterprises should prepare themselves for the seemingly inevitable ‘off-the-shelf’ incarnations of such threats in the future.”

McAfee Labs advises that organizations take steps to strengthen threat detection at the known initial attack vectors, such as phishing messages with malicious links and malware-infected USB drives and CDs, as well as consider solutions that can help prevent data exfiltration.

The May 2015 report also identified a number of other developments in the first quarter of 2015:

  • PC Malware Growth. The first quarter saw a slight decline in new PC malware, a development primarily due to the activity of one adware family, SoftPulse, which spiked in Q4 2014 and returned to normal levels in Q1 2015. The McAfee Labs malware “zoo” grew 13 percent during that time, and now contains 400 million samples.
  • Mobile Malware. The number of new mobile malware samples jumped by 49 percent from Q4 2014 to Q1 2015.
  • SSL-Attacks. SSL-related attacks continued in Q1 2015, although they tapered off in number relative to Q4 2014. This reduction is likely the result of SSL library updates that have eliminated many of the vulnerabilities exploited in prior quarters. Shellshock attacks are still quite prevalent since their emergence late last year.
  • Spam Botnets. The Dyre, Dridex, and Darkmailer3.Slenfbot botnets overtook Festi and Darkmailer2 as the top spam networks; pushing pharmaceuticals, stolen credit cards, and “shady” social-media marketing tools

For more information, please read the full report: McAfee Labs Threats Report: May 2015.

For guidance on how organizations can better protect their enterprise from the threats detailed in this quarter’s report, please visit: Enterprise Blog

For a list of safety tips to help individual users protect themselves from threats detailed in this quarter’s report, please visit: Consumer Blog

About McAfee Labs
McAfee Labs is the threat research division of Intel Security and one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership. The McAfee Labs team of more than 400 researchers collects threat data from millions of sensors across key threat vectors—file, web, message, and network. It then performs cross-vector threat correlation analysis and delivers real-time threat intelligence to tightly integrated McAfee endpoint, content, and network security products through its cloud-based McAfee Global Threat Intelligence service. McAfee Labs also develops core threat detection technologies—such as application profiling, and graylist management—that are incorporated into the broadest security product portfolio in the industry.

About Intel Security
McAfee Labs is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique McAfee Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world. Intel Security is combining the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. The mission of Intel Security is to give everyone the confidence to live and work safely and securely in the digital world. www.intelsecurity.com.

No computer system can be absolutely secure.

Note: Intel, Intel Security, the Intel logo, McAfee and the McAfee logo are trademarks or registered trademarks of Intel Corporation in the United States and other countries.

*Other names and brands may be claimed as the property of others.

###

Contacts:
Chris Palm
Intel Security
408-346-3089
Chris_Palm@mcafee.com

Janelle Dickerson
Zeno Group
650-801-0936
Janelle.Dickerson@zenogroup.com