How to Protect Against Malware Attacks
The current state of malware is a conflicted one. On the one hand, data breaches involving malware have become less frequent in recent years. In its 2019 Data Breach Investigations Report (DBIR), Verizon found that malware had been active in 28 percent of data breaches over the previous year. This figure is down from 30 percent in 2018 and 51 percent the year before that.
Despite these findings, malware samples are increasing in number. AV-Test found approximately 990 million malware samples in circulation as of December 11, 2019. This number is more than 100 million samples higher than the total for 2018.
These conflicting numbers really don’t matter when considering the bigger picture. The reality is simple: not only is the prevalence of malware increasing, dealing with them continues to become more and more expensive. The Ponemon Institute found in its 2019 Cost of a Data Breach report that the cost of the average data breach, including those involving malware, has grown to $3.92 million—up from $3.86 million a year earlier and $3.62 million in 2017. Plenty of malware incidents have been even costlier. In June 2019, Norsk Hydro reported that a ransomware attack had cost the company NOK 400-450 million (approximately $50 million) in the first quarter of 2019. The cost of shipping giant Maersk’s 2017 NotPetya infection was even greater at $300 million, as reported by ZDNet. And for countless other smaller organizations that don’t make the headlines, crippling malware attacks have cost them untold thousands of dollars in ransom payments and cleanup costs.
The figures above highlight the need for organizations to do more to defend against malware. They need to understand the different types of malware, how their categories are distributed in the wild and how they’re becoming increasingly difficult to detect.
Most Prevalent Malware Categories
Some of the most prevalent malware categories in circulation today include the following:
- Ransomware: This type of malware uses encryption to render a victim’s data inaccessible. The purpose of ransomware is usually financial in nature. Those behind these attacks typically demand that victims pay a ransom in exchange for a decryption key that they can use to recover their files.
- Backdoors: A backdoor is a category of malware that circumvents normal authentication measures implemented on a system. Malicious actors can subsequently use a backdoor to gain remote access to a system and at that point execute commands. Oftentimes, a backdoor uses evasion to grant remote access to attackers on an ongoing basis.
- Spyware: Samples that fall under this category live up to their name; their explicit purpose is to spy on users. Specifically, they use techniques like screenshot capture and code hooking to steal users’ banking accounts, passwords and credit card information before sending this data to their operators.
- Downloaders: Not all malware samples are the final payloads of an attack campaign. This is where downloaders come in. Samples belonging to this category of malware usually activate in the early stages of a malicious operation. Their purpose is to download another payload or other malicious assets to further an attacker’s goals. We often see this type of malware as part of Crimeware-as-a-Service: entrepreneurial cybercriminals who have turned malware into a commoditized operation to sell to other criminals launching their own localized malware campaigns.
- Cryptominers: Malicious actors inject cryptomining code into popular websites or infect users with cryptominers. The malware samples then consume a machine’s CPU resources to mine for cryptocurrency without the user’s knowledge. While one single infected computer mines only a small amount of cryptocurrency, when an attacker is able to infect tens of thousands of computers, the spoils can be substantial.
Popular Means of Malware Distribution
Out of all distribution channels, email is by far the most popular vector for spreading malware. Verizon Enterprise confirmed this fact in its 2019 DBIR when it found that the average company receives over 90 percent of its malware from suspicious email messages.
But many of today’s malware families are using other means of distribution as well. Some rely on malicious downloaders for installation on a compromised device, for instance, while others use exploit kits that leverage known browser and OS vulnerabilities to install malicious payloads. Upon successful infection, some of the more sophisticated malware samples then propagate across the network and infect other endpoints.
Why Malware is More Difficult to Detect Today
While many of its categories and distribution channels remain the same, malware is more difficult to detect today than it’s ever been. This development owes its existence to two complementary trends in the malware threat landscape:
- Endpoint and sandbox evasion techniques: Malware authors have made it their mission to help their creations evade signature-based detection. They’ve done this by building evasion techniques into their samples. Some of these employ evasion tactics such as polymorphism, a process through which a single piece of malware continues to morph into new variations to fool signature-based tools. Others turn to endpoint evasive techniques including the use of commands to directly disable AV tools. Others use sandbox-evasion techniques such as delaying detonation, probing the system it is running on to detect telltales of executing in a virtualized environment, among dozens of other techniques.
- Fileless attacks: The methods described above highlight the efforts of malware to conceal their malicious files from analysis by signature-based tools. In addition, many malware families are attempting to circumvent this problem altogether by not installing any files into an infected machine’s file system. As we noted in an earlier blog, fileless malware loads into memory, thereby providing security tools with no signatures to detect.
The Role of Network Detection and Response in an Anti-Malware Strategy
Evasion techniques and fileless attacks highlight the inability of signature-based tools to detect malware threats. Organizations need a modern and sophisticated solution that’s capable of seeing through these tricks and preventing malware from preying upon their users and data.
This is where Lastline’s Network Detection and Response (NDR) platform, Lastline Defender, comes in. Lastline Defender inventories every malicious behavior in every unknown object attempting to enter and operate inside your network, including fileless malware. Its highest-rated detection capabilities catch evasive malware that slips past your firewall, web gateway, sandbox or other “Next-Gen” technology. Lastline Defender’s multi-faceted AI learns from this complete inventory of all malicious behaviors, enabling it to distinguish between malicious and benign network anomalies.
Lastline Defender provides high-fidelity insights that enables your security to respond more effectively and efficiently. Security professionals can spend more time on working to prevent malware from propagating throughout the network than on investigating otherwise benign anomalies.