I recently read an article about the first ransom note in American history. According to the Smithsonian, a school librarian recently stumbled upon a note from 1874 that demanded $20,000 (the equivalent of about $400,000 today) for the safe return of a family’s four-year-old son who had been kidnapped from his Philadelphia neighborhood. Half the country mobilized as police forces tried to recover the child. In the end, the child was never found. Today, we’re in the midst of another hard-to-solve ransom crisis, this time with a tech twist.
I’m talking about ransomware attacks, where a malware infection is used to encrypt data and then demand payment for the decryption key. Ransomware has been the talk of the security industry lately. The FBI recently revealed that ransomware victims in the United States reported costs of $209 million in the first quarter of 2016, compared to $24 million for all of 2015. High-profile Q1 ransomware incidents include the February 2016 attack on Hollywood Presbyterian Medical Center in Los Angeles and the March 2016 breach at MedStar Health in Washington, D.C.
In our newly released Infoblox DNS Threat Index for the first quarter of 2016, Infoblox researchers found a dramatic increase in the creation of new ransomware infrastructure. In simple terms, this indicates ransomware is working, so more and more criminals are jumping on the bandwagon. In fact, our researchers tracked a 35-fold increase—3,500 percent!— in newly observed ransomware domains from January to March when compared to the first quarter of 2015.
This huge spike is clearly not the work of a lone wolf working in a parent’s basement. Sophisticated criminal networks are conducting industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises. And much like bees to nectar, cybercriminals go to what works, and ransomware seems to be working quite well these days.
It’s not just sophisticated cybercriminals who are carrying out these attacks. Much of the time, “regular criminals” are participating. That’s possible because many ransomware attacks originate with exploit kits. A small number of highly skilled hackers can create exploit kits, which are packages for delivering a malware payload, and then sell or rent these toolkits to ordinary criminals with little technical experience—vastly increasing the ranks of malicious attackers capable of going after individuals, businesses, schools, and government agencies.
Unless and until companies figure out how to guard against ransomware—and certainly not reward the attack—we expect ransomware to continue its successful run. Fortunately, as with any malware, prevention is well understood: tight security measures; up-to-date software; user best practices such as not giving away your password or keeping the same password across multiple accounts; and clean, protected backup data.
Beyond ransomware, the Infoblox DNS Threat Index hit an all-time high in the first quarter, meaning the threat from malicious infrastructure has never been greater. To read the entire report, go to infoblox.com/dns-threat-index.
Finally, if you’re attending The Anti-Phishing Working Group’s Symposium on Electronic Crime Research this week in Toronto, you’re invited to a session I’m co-presenting tomorrow on abuse of top-level domains, where I’ll talk about the threat index findings.