IOCATA 2016
Home Europol Twitter Europol facebook Europol LinkedIn

Malicious attacks on public and private networks are relentless. In order to carry out such attacks, cybercriminals need access to the right tools and services. The development and propagation of malware therefore continues to be the cornerstone for the majority of cybercrime. Although different malware have a range of overlapping capabilities, the two dominant threats encountered by EU law enforcement are ransomware and information stealers.


malware table Click here to open this table
Open image in new tab Malware table
malware table
Open image in new tab Malware table
Key threat - Ransomware malware

Key threat - Ransomware

Ransomware continues to be the dominant concern for EU law enforcement. While police ransomware appears to have dropped off the radar almost completely, the number of cryptoware variants has multiplied. Whereas each variant has its own unique properties, many are adopting similar anonymisation strategies such as using Tor or I2P for communication, and business models offering free test file decryptions to demonstrate their intentions. Ransom payment is almost exclusively in Bitcoins. While most traditional and “commercially available” data stealing malware typically targets desktop Windows users, there are many more applicable targets for ransomware, from individual users’ devices, to networks within industry, healthcare or even government.

No More Ransom (www.nomoreransom.org) is a new initiative in cooperation between law enforcement and the private sector to fight ransomware together19. This new online portal launched in 2016 aims to inform the public about the dangers of ransomware and helps victims to recover their data without having to pay ransoms to cybercriminals.

mallware map

Cryptowall

First appearing in 2013, Cryptowall has appeared under a number of pseudonyms, including Cryptodefense and Cryptorbit, and at the time of writing is running under version 4.0. Cryptowall is typically installed by an exploit kit or malicious email attachment. The malware makes use of both Tor (for handling Bitcoin payments from victims) and I2P (for communicating with its C&C servers) P2P networks. Half of EU Member States report cases of Cryptowall.

malware map

CTB-Locker

Emerging in mid-2014, Curve-Tor-Bitcoin (CTB) Locker (also known as Critroni) was one of the first ransomwares to use Tor to hide its C2 infrastructure. While active during 2015, CTB-Locker activity has dropped off in 2016. However, a more recent variant has been targeting web-servers and is uniquely using the Bitcoin blockchain to deliver decryption keys to victims20. Marginally less prominent among EU law enforcement investigations compared to Cryptowall, CTB-Locker represented the top malware threat for the financial industry.

Teslacrypt

Teslacrypt was another cryptoware variant reported by EU law enforcement as a significant threat in 2015. However, in May 2016, the developers apparently discontinued the malware, apologised for their actions and released a master decryption key21. There is no indication as to why they did this. Residual investigations remain in a number of Member States.

Locky

While the Locky cryptoware did not appear until mid-February 2016, and consequently does not feature heavily in the reporting period, it is expected to become one of the dominant cryptoware threats throughout 2016. Some reports indicate that Germany, France, Italy and Spain are all top 10 targets for the new campaign22. Locky encrypts over 160 different file types, including virtual disks, databases and Bitcoin wallet (wallet.dat) files23,24

Due to similarities in the campaigns for both malware distribution methods (malicious macro spiked email attachments distributed via mass spam campaigns) and several aspects of the coding, it is speculated that the Locky malware is produced by the same developers as the Dridex malware25.

The legacy of Cryptolocker

Throughout 2014, the Cryptolocker ransomware was one of the top ransomware threats within the EU in terms of scope and impact. In May 2014, Operation Tovar significantly disrupted the infrastructure distributing Cryptolocker and by the end of 2014 Cryptolocker was effectively finished. The name ‘Cryptolocker’ now appears to have become a synonym for any unidentified ransomware. Consequently, reports of ‘Cryptolocker’ infections are still high within Europe.

  1. Europol, Press Release on No More Ransom Initiative, https://www.europol.europa.eu/content/no-more-ransom-law-enforcement-and-it-security-companies-join-forces-fight-ransomware, 2016 footnote 19
  2. Sucuri Blog, Website Ransomware – CTB-Locker Goes Blockchain, https://blog.sucuri.net/2016/04/website-ransomware-ctb-locker-goes-blockchain.html, 2016 footnote 20
  3. BleepingComputer, TeslaCrypt Shuts Down and Releases Master Decryption Key, http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/, 2016 footnote 21
  4. SecurityWeek, Germany, France Hit Most by Locky Ransomware: Kaspersky, http://www.securityweek.com/germany-france-hit-most-locky-ransomware-kaspersky, 2016 footnote 22
  5. Naked Security, “Locky” Ransomware – What You Need to Know, https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/, 2016 footnote 23
  6. Avast Blog, A Closer Look at the Locky Ransomware, https://blog.avast.com/a-closer-look-at-the-locky-ransomware, 2016 footnote 24
  7. Symantec Official Blog, Locky Ransomware on Aggressive Hunt for Victims, http://www.symantec.com/connect/blogs/locky-ransomware-aggressive-hunt-victims, 2016 footnote 25
Key threat - Information stealers img

Key threats - Information stealers

While ransomware provides easy money for cybercriminals, the data which information stealing malware can harvest can be of significantly greater value, even though it requires additional effort to monetise. While information stealers can target any data of potential value from social media logins to digital currency wallets, the majority focus on harvesting banking and credit card credentials.

The malware landscape - with regards to information stealers - remains largely unchanged from the previous year. While information stealing malware is no less prevalent or relentless than in previous years, the perceived lower threat level by law enforcement perhaps reflects that, along with support from private industry, law enforcement is now better equipped and better prepared to both investigate and mitigate this threat.

 
mallware map

Dridex

While only just emerging as a threat for law enforcement in 2015, Dridex has, as predicted, become one of the main financial threats for EU law enforcement over the last year. Dridex is distributed almost exclusively via spam campaigns, disguised as financial emails such as invoices, receipts, and orders. Dridex targets nearly 300 different organizations in over 40 regions, focussing on financial institutions in the US and Western Europe, as well as a range of Asia-Pacific states26. Dridex uses a distributed P2P command and control infrastructure that makes it more resistant to takedown. Dridex was the top threat in this category for both law enforcement and the financial sector.

In August 2015, the UK’s NCA and the US FBI, with the support of EC3 and the J-CAT and a number of international law enforcement agencies and key private partners, conducted an operation to 'sinkhole' the Dridex malware, stopping infected computers from communicating with the cybercriminals controlling them. Additionally a key player in the development of Dridex was arrested. The operation was a success, but by November 2015 there was a resurgence in activity as new variants began to propagate.

 
daro comet

Citadel

A Zeus variant that first appeared in 2012, the sale and use of Citadel is limited to select groups of cybercriminals and run as-a-service. Several Member States continue to report low numbers of Citadel cases. In April 2016, a new variant of Citadel, dubbed Atmos, began targeting financial institutions in France. The Trojan is noted as having C&C servers based in Vietnam, Canada, Ukraine, Russia, the US and Turkey27. It is unknown how many of the law enforcement reports reflect the appearance of this new variant.

Zeus

First appearing in 2006, the source code for Zeus was leaked in 2011. Subsequently, the code has been re-used by coders to create both new variants of Zeus itself and whole new malware families, such as Ice IX and Citadel. While Zeus still affects some Member States, it is likely that the statistics represent an amalgamation of all the current variants rather than any single coordinated campaign.

 
malware map

Dyre

In the 2015 IOCTA it was predicted that Dyre (also known as Dyreza) would be one of the top malware threats throughout 2015. Run privately by its developers, Dyre targeted over 1000 banks and other payment and financial services. However, while it did indeed enjoy significant successes, in November 2015 Russian authorities arrested a number of suspects believed to be part of the Dyre crew28. Following these arrests, Dyre activity dropped to negligible levels. A number of Member States report low numbers of Dyre investigations but these are predominantly follow-up investigations and not based on new infections.

Other information stealers

A variety of other information stealing malware featured in EU investigations throughout 2015, however the numbers of these were sufficiently low to suggest they did not represent a significant threat to the EU. Of these, Spyeye and Carberp (particularly in South East Europe) were the most prominent, but only rare cases involving malware such as Vawtrack (Neverquest), Ice IX, Nymain or Dorkbot were reported. While Tinba was only reported as a low lying threat by law enforcement, some internet security partners29 and media reporting indicated that it is a more significant threat30.

  1. Symantec, Dridex: Tidal Waves of SPAM Pushing Dangerous Financial Trojan, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf, 2016 footnote 26
  2. SC Magazine, Atmos, Citadel Malware Variant, Hitting French Banks, http://www.scmagazine.com/atmos-citadel-malware-variant-hitting-french-banks/article/489104/, 2016 footnote 27
  3. The Hacker News, Hackers Behind Dyre Malware Busted in Police Raid, http://thehackernews.com/2016/02/hacking-dyre-malware.html, 2016 footnote 28
  4. Check Point Software Technologies, http://www.checkpoint.com/, 2016 footnote 29
  5. SecurityWeek, Fifth Tinba Variant Targets Financial Entities in Asia Pacific, http://www.securityweek.com/fifth-tinba-variant-targets-financial-entities-asia-pacific, 2016 footnote 30
Key threat - Mobile malware img

Key threat - Mobile malware

Identified by law enforcement as little more than a likely future threat in previous years’ reports, mobile malware now features firmly in law enforcement investigations in 14 European countries, particularly non-EU states. While the number of cases per state typically is still low (under 10), this is a clear indication that mobile malware is finally breaking into the public domain with regards to both the reporting and subsequent criminal investigation of mobile malware attacks. Moreover, industry continues to report the proliferation of mobile malware, much of which is now as complex as PC malware. This growth in complexity also reflects the change in the purpose of mobile malware. Historically mobile malware has been dominated by premium service abusers, i.e. exploiting the device in its capacity as a phone with access to (limited) credit. As mobiles are increasingly of the ‘smart’ variety, the current generation of mobile malware instead targets devices in their capacity as mobile computers. Consequently the infection pathways and intent of mobile malware are beginning to mirror that of the desktop PC – drive-by downloads31, RATs, ransomware, click fraud32,33 and banking Trojans are all common features for mobile malware today.

Whereas police ransomware appears to have almost disappeared from desktop PCs, mobile platforms (both Android and iOS) appear to be one of the few environments where it is still active34. In some cases, however, the requested payment method (e.g. iTunes vouchers35) ridicules any pretence that it represents a legitimate law enforcement agency. Mobiles otherwise represent key targets for ransomware and, coupled with the lower likelihood of mobile device users running security software, mobiles are increasingly at risk.

  1. Blue Coat Labs, Android Towelroot Exploit Used to Deliver “Dogspectus” Ransomware, https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware, 2016 footnote 31
  2. WeLiveSecurity, Porn Clicker Trojans Keep Flooding Google Play, http://www.welivesecurity.com/2016/02/24/porn-clicker-trojans-keep-flooding-google-play/, 2016 footnote 32
  3. Check Point, From HummingBad to Worse: New In-Depth Details and Analysis of the HummingBad Android Malware Campaign, http://blog.checkpoint.com/2016/07/01/from-hummingbad-to-worse-new-in-depth-details-and-analysis-of-the-hummingbad-andriod-malware-campaign/, 2016 footnote 33
  4. Trend Micro, Flocker Mobile Ransomware Crosses to Smart TV, http://blog.trendmicro.com/trendlabs-security-intelligence/flocker-ransomware-crosses-smart-tv/, 2016 footnote 34
  5. Blue Coat Labs, Android Towelroot Exploit Used to Deliver “Dogspectus” Ransomware, https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware, 2016 footnote 35
Other malware threats - Remote Access Tools (RATS) img

Other malware threats - Remote Access Tools (RATS)

In the 2015 IOCTA, RATs were highlighted as an additional key threat area. The volume of investigations into RATs dropped considerably throughout 2015, however. The two most prominent RATs, providing attackers with backdoors to victims’ systems, are again Blackshades and DarkComet, but the number of countries reporting Blackshades investigations continues to decline and, while approximately one quarter of Member States still have investigations involving DarkComet, individual case numbers are low.

Other malware threats - Enablers img

Other malware threats - Enablers

Whereas law enforcement investigations highlighted in previous reports were entirely dominated by ‘payload’ malware (e.g. ransomware, information stealers and RATs), 2015 has seen a progression in tackling malware threats that operate ‘behind the scenes’, i.e. those used to disseminate or install other malware.

Exploit kits

Over one fifth of European countries reported active investigations involving the Angler exploit kit. First seen in 2013, Angler – known for its rapid adoption of new vulnerabilities - became one of the most popular exploit kits in the digital underground following the demise of the Blackhole exploit kit. Cryptowall 4.0 and new ransomware CryptXXX36 feature amongst the payloads installed by Angler. The Nuclear and Neutrino exploit kits have also attracted the attention of European law enforcement.

The Nuclear exploit kit was also noted to be spreading Cryptowall37. At the time of writing, following law enforcement action by the Russian authorities, both the Angler and Nuclear exploit kits appear to be inactive.

Following the arrest of 50 individuals linked to the Lurk malware in June 2016 by Russian law enforcement, the operation of several other malware campaigns was severely disrupted – including Dridex, Locky, Angler, Nuclear and Necurs38, indication that some of the suspects were involved in providing a key support service for these campaigns, likely the distribution channels. While most recovered, both Angler and Nuclear remain inactive.

Droppers

Both Andromeda and Conficker feature in 2015 law enforcement investigations, albeit in only a small number of countries. Andromeda’s primary function is to drop other malware onto infected machines but its modular nature means its functionality can be modified to perform a variety of other tasks. Conficker (also known as Downadup) is a worm that primarily downloads other malware but can also provide remote access and steal data39.

It is important to recognise that the view of law enforcement in terms of identifying malware threats only represents the tail end of the entire threat landscape. It often only encompasses the attacks which are detected by victims or third parties and are subsequently reported as a crime. The following table highlights the top malware threats within the EU as seen by law enforcement. Alongside this we have displayed the same view from the financial sector, which appears to be largely aligned. We would expect this, as banks and banking customers are likely to be complainants who initiate law enforcement investigations.

Notably however, over the same time period there was almost no overlap between the threats seen by law enforcement and the financial sector and those by industry. One of the few exceptions to this is Conficker (aka Downadup), which was identified as a significant threat by the internet security industry, albeit only low level by law enforcement. Some data stealing malware such as Zeus also features in the internet security threat list.

One explanation for the discrepancy between the two viewpoints is that internet security companies will typically encounter (and prevent) the malware operating ‘behind the scenes’ such as droppers, and are therefore less likely to see the payload malware that would have subsequently attacked the intended target. Conversely, law enforcement is more likely to encounter payload malware that has neither been detected nor prevented by an anti-virus solution. Furthermore, it is likely that only payloads that have resulted in actual, noticeable loss or damage to a victim are reported to law enforcement. Consequently, the threat list of law enforcement is dominated by banking Trojans and ransomware, and that of the internet security industry is dominated by droppers, backdoors and other unobtrusive, stealthy malware.

  1. Check Point, CryptXXX Ransomware: Simple, Evasive, Effective, http://blog.checkpoint.com/2016/05/27/cryptxxx-simple-evasive-effective/, 2016 footnote 36
  2. SecurityWeek, CryptoWall 4.0 Spreading via Angler Exploit Kit, http://www.securityweek.com/cryptowall-40-spreading-angler-exploit-kit, 2016 footnote 37
  3. SecurityWeek, Did Angler Exploit Kit Die With Russian Lurk Arrests?, http://www.securityweek.com/did-angler-exploit-kit-die-russian-lurk-arrests, 2016 footnote 38
  4. Check Point, Top 10 Most Wanted Malware, http://blog.checkpoint.com/2016/06/21/top-10-most-wanted-malware/, 2016 footnote 39
Future threats and developments img

Future threats and developments

There will always be a demand for data grabbing malware, but the market for these is notably less volatile, with a handful of often persistent “consumer favourites” dominating the markets. The cryptoware scene is currently where the most flux exists, with a myriad of new variants identified in industry and media reporting in the past year. Many of these such as Cerber, CryptXXX and Locky appear to be gaining momentum. It is therefore a safe bet that 2016 will see further diversification in the range of cryptoware available, with likely only a select few surviving into 2017. Police ransomware will likely fade into obscurity as the pretence of representing law enforcement becomes obsolete - an unnecessary complication to a simple demand for money.

Cryptoware will also continue to expand its attack surface. Now firmly established as a daily desktop malware threat, the profile of ransomware as a threat on mobile devices will grow as developers hone their skills in attacking those operating systems and platforms. Given the scale of mobile device ownership (with many more mobile devices than people40) there is no shortage of fertile ground for the proliferation of mobile ransomware. Moreover, we will also see ransomware evolving to routinely spread to other smart devices. There are already indications that some ransomware is capable of infecting devices such as smart TVs41. Following the pattern of data stealing malware, cryptoware campaigns will likely become less scattergun and more targeted on victims of greater potential worth.

More recently, a new strain of server-side ransomware called SAMSAM predominantly targeted the healthcare industry. SAMSAM does not require user interaction but exploits the vulnerabilities of web servers and encrypts folders typically associated with website files, images, scripts, etc42.

While there is clear indication that other malware - with a degree of magnitude more sophisticated than that openly available on any criminal market - exists either already in the wild or as a proof of concept, none appears to be “commercially available”. Its use therefore remains either limited to closed criminal groups, or out of the reach of criminality altogether. Those using it are likely to be out of the scope of a typical law enforcement investigation.

One such indicator of sophistication would be the use of information hiding techniques, such as steganography. These techniques, once solely a tool for espionage, are now increasingly being used by malware to hide its existence, communications and data exfiltration, by incorporating data in other traffic flows or media43. While this technique has only been used by a handful of malware variants so far, its very nature means that any future or existing malware using this technique may be extremely hard to detect.

  1. The Radicati Group, Mobile Statistics Report 2014-2018, http://www.radicati.com/wp/wp-content/uploads/2014/01/Mobile-Statistics-Report-2014-2018-Executive-Summary.pdf, 2014 footnote 40
  2. Trend Micro, FLocker Mobile Ransomware Crosses to Smart TV, http://blog.trendmicro.com/trendlabs-security-intelligence/flocker-ransomware-crosses-smart-tv/, 2016 footnote 41
  3. Trend Micro, Server-side Ransomware SAMSAM Hits Healthcare Industry, http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/server-side-ransomware-samsam-hits-healthcare-industry, 2016 footnote 42
  4. CUIng, Criminal Use of Information Hiding (CUIng) Initiative, http://cuing.org/, 2016 footnote 43
Recommendations img

Recommendations

  • It is essential for law enforcement to continue to allocate sufficient resources to investigate the malware and services which enables other cyber attacks.
    • The impact the removal of a key service can have is clear44.
  • Law enforcement should maintain the current momentum on prevention and awareness campaigns relating to mobile malware.
    • Encouraging the use of security software and the reporting of attacks gives both law enforcement and the security industry an overall clearer picture and thereby a greater capacity to mitigate the threat.
  • Law enforcement must continue to forge and maintain collaborative, working relationships with academia and the private sector.
    • The comparison of law enforcement, industry and internet security perspectives on malware threats highlights how small a piece of the overall picture law enforcement actually sees and to some degree questions the relevance of law enforcement priorities. While there is no question that law enforcement must continue to investigate reported attacks, it must also be guided partly by the views of other industries.
  • Law enforcement and industry should continue to contribute and make use of the Europol Malware Analysis Service (EMAS). Moreover, the tool needs to continue to evolve and develop to address the growing needs for malware analysis.
  • The disclosure of relevant information to the public, found within the course of criminal investigations, should be encouraged and facilitated. For instance, when a server with decryption keys is found, it should be possible (or easier) for LEAs to disclose this information to the public, through cooperation with private entities. In some cases however, this may require legislative action as some countries, including EU MS, are prohibited from disclosing information during criminal investigations outside the law enforcement community.
  1. SecurityWeek, Did Angler Exploit Kit Die With Russian Lurk Arrests?, http://www.securityweek.com/did-angler-exploit-kit-die-russian-lurk-arrests, 2014 footnote 44