Honeypot research from F-Secure shows majority of illicit online activity coming from IP addresses in Russia – also where ransomware is a hot commodity.
A global research honeypot tracked what appeared to be a large amount of reconnaissance traffic coming from Russian IP addresses in the second half of last year: some 60% of the overall volume of traffic came from Russia.
The second-closest region was the Netherlands, with 11% of the overall traffic, followed by the US (9%); Germany (4%); and China (4%), according to data culled from F-Secure’s global honeypot network, which provides a snapshot of just where attack attempts, recon, and other nefarious activity is originating – and targeting.
F-Secure found that close to half of the traffic was searching for exposed HTTP and HTTPS ports, most likely for the purpose of seeking out vulnerable software to exploit and spread malware, or compromise the targeted device. These systems then can be used as proxies for other attacks, for instance. Simple Main Transfer Protocol (SMTP) ports were also high on the recon radar screen.
“With Russia being the largest source of this traffic, it’s no surprise that most countries in the world were targeted by Russian IPs, including Russia,” F-Secure said in its newly published annual threat report. “The US was the most frequent target of both global and Russian traffic.”
Most ransomware activity comes out of Russia as well, noted Mikko Hypponen, chief research officer for F-Secure in a press briefing during the RSA Conference last week in San Francisco. There are more than 100 ransomware gangs, he said, and some operate out of Ukraine.
Russian-speaking cybercrime gangs and individuals account for 80% of ransomware families seen in the last 12 months, Kaspersky Lab data shows. The ransomware attackers are a combination of skilled developers to script kiddies, all cashing in on the ease and relative anonymity of cyber-extortion attacks that now come in easy-to-use-kits. Some are making tens of thousands of dollars a day via ransomware attacks, according to Kaspersky Lab.
Hypponen expects ransomware incidents to get worse. “One of the things making it worse is that it’s becoming so decentralized. There are so many different gangs making money on ransomware, and they are competing,” he said.
They have sophisticated application interfaces that help them track their campaigns and how successful they were; some even provide customer support to help the victim get bitcoin for ransom payment. He showed one campaign’s interface indicating it had a conversion rate of 16% success.
Other security experts last week echoed Hypponen’s prediction that ransomware would escalate, and get uglier: not only are the attackers getting more aggressive and strict about payment deadlines, but some attack a victim multiple times, even after he or she pays up. “Traditional blackmailers know if someone pays once, they are probably going to pay again,” said James Lyne, global head of security research at Sophos Labs.
Look for ransomware attacks that also steal, damage, or wipe data, so even if a victim pays the ransom, his or her data is still at risk or lost forever.