Explosion in ransomware drives all-time high in malicious domain creation

Infoblox Inc. (NYSE:BLOX), the network control company, today released the Infoblox DNS Threat Index for the first quarter of 2016, highlighting a 35-fold increase in newly observed ransomware domains from the fourth quarter of 2015. This dramatic uptick helped propel the overall threat index, which measures creation of malicious Domain Name System (DNS) infrastructure including malware, exploit kits, phishing and other threats, to its highest level ever.

Ransomware is a relatively brazen attack where a malware infection is used to seize data by encrypting it, and then payment is demanded for the decryption key. According to Rod Rasmussen, vice president of cybersecurity at Infoblox, “There has been a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, small-dollar heists targeting consumers to industrial-scale, big-money attacks on all sizes and manner of organisations, including major enterprises. The threat index shows cybercriminals rushing to take advantage of this opportunity.”

The Cyber Threat Alliance estimated that in 2015 the global cost of damages of CryptoWall, currently one of the most lucrative and broad-reaching ransomware campaigns on the Internet, was $325 million and impacted hundreds of thousands of victims. Recent high-profile ransomware incidents include the debilitating ransomware attack on Lincolnshire County Council in January 2016, and the February 2016 attack on Hollywood Presbyterian Medical which resulted in a transaction of $17,000 in bitcoin to the hackers to decrypt the hospital’s files.

This activity coincided with numerous warnings to British businesses from CERT-UK, the UK National Computer Emergency Response Team, of the new ransomware threat named “Locky”.

Record Number of New Malicious Domains

The Infoblox DNS Threat Index hit an all-time high of 137 in Q1 2016, rising 7 percent from an already elevated level of 128 in the prior quarter, and topping the previous record of 133 established in Q2 2015. The Infoblox DNS Threat Index tracks the creation of malicious DNS infrastructure, through both registration of new domains and hijacking of previously legitimate domains or hosts. The baseline for the index is 100, which is the average for creation of DNS-based threat infrastructure during the eight quarters of 2013 and 2014.

Five New Countries Top List of Those Hosting Malicious Domains

The United States continues to be the top host for newly created or exploited malicious domains, accounting for 41 percent of the observations, a significant drop from last quarter’s 72 percent lion’s share. Five other countries and regions saw major increases in activities:

  • Portugal—17 percent
  • Russian Federation—12 percent
  • Netherlands—10 percent
  • United Kingdom—8 percent
  • Iceland—6 percent

Germany, which last quarter accounted for almost 20 percent of newly observed malicious domains and related infrastructure, nearly dropped off the list at less than 2 percent.

“Cybercriminals are as likely as anyone else to take advantage of sophisticated infrastructure, and all of the countries in this quarter’s list fit that description,” said Lars Harvey, vice president of security strategy at Infoblox. “But the geographic spread shows that much like cockroaches that scurry from the light, cybercriminals are quick to shift to a more advantageous location as needed.”

Exploit Kits Remain Top Threat

Exploit kits—toolkits for hire that make cybercrime easier by automating malware creation and delivery—remain the biggest threat, accounting for just more than 50 percent of the overall index. As in past quarters, Angler remains the most used exploit kit, but a new contender has emerged from far back in the pack: observations of Neutrino grew by 300 percent. Angler is notorious for pioneering the “domain shadowing” technique used to defeat reputation-based blocking strategies, and for infiltrating malicious URLs into legitimate ad networks, taking visitors to websites that insert malware even if they don’t click on the infected ads. Various iterations of recent Neutrino campaigns have been observed to infect victims’ systems with various versions of ransomware such as Locky, Teslacrypt, Cryptolocker2 and Kovter.

About DNS and the Infoblox DNS Threat Index

DNS is the address book of the Internet, translating domain names such as www.google.com into machine-readable Internet Protocol (IP) addresses such as 74.125.20.106. Because DNS is required for almost all Internet connections, cybercriminals are constantly creating new domains and subdomains to unleash a variety of threats including exploit kits, phishing, and distributed denial of service (DDoS) attacks.

For more details about the Infoblox DNS Threat Index methodology and to read the full report for the first quarter of 2016, go to www.infoblox.com/dns-threat-index.

[su_box title=”About Infoblox” style=”noise” box_color=”#336588″][short_info id=’60472′ desc=”true” all=”false”][/su_box]

Information Security Buzz