A ransomware infection is only the beginning of your malware problems: Cisco

Ransomware is increasingly being used as a 'canary in a coal mine' by attackers who are testing victims' defences in preparation for more insidious targeted attacks later on, the head of Cisco's regional security practice has warned as the company's latest cybersecurity report warns businesses to improve their detection capabilities and security hygiene or risk immolation by online attackers.

The Cisco 2016 Midyear Cybersecurity Report warned that a “highly vulnerable hodgepodge of web browsers, applications, and infrastructure has created a fragile foundation” for security. The problem was compounded, the report warned, because businesses become less likely to upgrade the more complex their network infrastructure becomes.

With businesses falling well behind the curve in applying patches to cover vulnerabilities – Internet devices had 28 known vulnerabilities each on average, with 885,918 of 3 million observed Apache httpd server installs for example, noted to have vulnerabilities.

Cisco's security team highlighted concerns that an increase in vulnerabilities involving cryptography and authorisation “are signs that treat actors are now seeking to tamper with secure connections” – often undetected, with studied organisations taking an average of 200 days to detect malware infections; Cisco claimed its median time to detection (TTD) was 13 hours in the six months through April.

The firm's analysis of ransomware actors highlighted the “resilient” attacks they had created, noting that “innovators in the space... took their malware to an entirely new level of effectiveness when they began using cryptographically sound file encryption.” Indeed, ever more-resourceful attackers were proving themselves highly resilient and flexible at adapting attacks to be ever more effective.

This, ANZ general manager of security Anthony Stitt said in a statement, created interplay between ransomware and malware strains that used similar vectors of attack and used ransomware to test victims' defences before launching follow-up stealth attacks.

“If a business or individual is having problems with ransomware, this is sending the message that their IT environment is vulnerable and being exploited,” Stitt said. “Once inside, threats are able to move around unseen for hundreds of days at a time. Practically every major breach is an example of this, which is demonstrative of the need for organisations to dramatically improve their ability to find 'in-progress' problems before they escalate.” “'Point-in-time' solutions just don't cut it anymore; visibility and control are crucial for organisations, whether it be before, during or after attacks.”

Government guidance The report flagged “regulatory complexity and contradictory cybersecurity policies” at the national level as causing problems for international commerce, with “unconstrained” attackers sending profits from malware activities skyrocketing thanks to an expanding focus for attacks, evolving attack methods, and success in using encryption to obscure their operations from discovery.

Ransomware remains the most financially successful style of malware attack – a recent CyberArk study pegged losses to ransomware at $US325m last year alone – attackers are successfully monetising new aspects of the malware ecosystem, with adware recently found to be providing a modest profit for its purveyors.

This success is also creating ethical issues for victims – especially Australian businesses that may be inadvertently funding organised crime in deciding to accept ransomware as a cost of doing business. “Poorly protected devices and software open up operational space to adversaries,” the report warned. “It's up to you to eliminate it. Priority must be placed on reducing unconstrained operational space and making adversary presence known.”