Financial threats

While we have previously written on the now infamous XPan ransomware family, some of it’s variants are still affecting users primarily located in Brazil. This sample is what could be considered as the “father” of other XPan ransomware variants. A considerable amount of indicators within the source code depict the early origins of this sample.

Ransomware’s popularity has attracted the attention of cybercriminal gangs; they use these malicious programs in targeted attacks on large organizations in order to steal money. In late 2016, we detected an increase in the number of attacks, the main goal of which was to launch an encryptor on an organization’s network nodes and servers.

In February 2017, we published research on fileless attacks against enterprise networks. This second paper is about the methods and techniques that were used by the attackers in the second stage of their attacks against financial organizations – basically enabling remote administration of ATMs.

Today we’d like to share some of our findings, and add something new to what’s currently common knowledge about Lazarus Group activities, and their connection to the much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank.

This year we found a new family of ransomware used in targeted attacks against organizations. The next fact about this ransomware is that the threat actors decided to use the well-known Petya ransomware to encrypt user data.

In 2016, the growth in the number of advertising Trojans capable of exploiting super-user rights continued. Throughout the year it was the No. 1 threat, and we see no sign of this trend changing.

In 2016 we continued our in-depth research into the financial cyberthreat landscape. We’ve noticed over the last few years that large financial cybercriminal groups have started to concentrate their efforts on targeting large organizations – such as banks, payment processing systems, retailers, hotels and other businesses where POS terminals are widely used.

In other words, crypto ransomware is a fine tuned, user friendly and constantly developing ecosystem. In the last few years we, at Kaspersky Lab, have been monitoring the development of this ecosystem. This is what we’ve learned.

Last November we conducted a brief analysis of the threat landscape over the holiday period – from October to December in 2014 and 2015. And we made the following prognosis: the same holiday period in 2016 will see a spike in cyberattacks. Now that the holidays are over, it is time to find out how accurate that prediction was.

Many mobile bankers can block a device in order to extort money from its user. But we have discovered a modification of Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data.

2016 was a tense and turbulent year in cyberspace – from the massive IoT botnets and ransomware to targeted cyberespionage attacks, financial theft, ‘hacktivism’ and more. Kaspersky Lab’s Review of the Year and Statistics provide a detailed review – you can read the Executive Summary here.

Between January and September 2016 ransomware attacks on business increased three-fold – to the equivalent of an attack every 40 seconds. With the ransomware-as-a-service economy booming, and the launch of the NoMoreRansom project, Kaspersky Lab has named ransomware its key topic for 2016.

Yet another year has flown past and, as far as notable infosec happenings are concerned, this is one for the history books. Drama, intrigue and exploits have plagued 2016 and, as we take stock of some of the more noteworthy stories, we once again cast our gaze forward to glean the shapes of the 2017 threat landscape.

Our research shows that, over the last few years, the holiday period which starts on so-called Black Friday was marked by an increase in phishing and other types of attacks, which suggests that the pattern will be repeated this year.

The most popular mobile Trojan in the third quarter of 2016 was Trojan-Banker.AndroidOS.Svpeng.q. During the quarter, the number of users attacked by it grew almost eightfold.