2017AnnualThreatReport

TableofContents

Introduction 3

ThreatFindingsfrom2016 4

POSMalwareDecline 6

SSL/TLSEncryption 7

ExploitKitDecline 9

Ransomware 10

IoTDDoSAttacks 13

AndroidMalware 15

Predictionsfor2017 17

PreventionandBestPractices 19

FinalTakeaways 21

Resources 23

22017SonicWallAnnualThreatReport

Introduction
2016couldbeconsideredahighlysuccessfulyearfromtheperspectiveofboth
securityprofessionalsandcybercriminals.Securityteamsleveraged
groundbreakingtechnologiestosuccessfullyfendoffattacksthatwouldhave
devastatedtheirorganizationsinyearspast.Atthesametime,wesawtherise
ofnewcyberthreatsthattargetedorganizationsofallsizesandledtoserious
financialconsequencesformany.

Itwouldbeinaccuratetosaythethreatlandscapeeitherdiminishedor
expandedin2016rather,itappearstohaveevolvedandshifted.Cybersecurity
isnotabattleofattrition;itsanarmsrace,andbothsidesareproving
exceptionallyinnovative.

AccordingtotheSonicWallGlobalResponseIntelligenceDefense(GRID)Threat
Network,securityteamsachievedasolidshareofvictoriesin2016.Unlikein
yearspast,SonicWallsawthevolumeofuniquemalwaresamplescollectedfall
to60millioncomparedwith64millionin2015,a6.25percentdecrease.Total
attackattemptsdroppedforthefirsttimeinyears,to7.87billionfrom8.19
billionin2015.

Inaddition,thebroaderadoptionofchipandPINtechnologyincountriessuch
astheUnitedStatesseemstohavecooledcybercriminalsinterestinpointof
sale(POS)systemattackstothetuneofan88percentdecreaseinPOSmalware
variantssince2015,asobservedbytheSonicWallGRIDThreatNetwork.Law
enforcementandcyberinvestigationshelpedcontributetothemidyear
disappearanceofthreeexploitkitsthatranrampantinearly2016Angler,
NeutrinoandNuclear.MeanwhileSecureSocketsLayer/TransportLayerSecurity
(SSL/TLS)encryptedtrafficcontinuedtoriseinvolume,pointingtoapositive
overalltrendinonlinesecurity.

However,theSonicWallGRIDThreatNetworkalsoobservedanexponential
increaseinthenumberofadvancedthreatsviaransomware,fromnearly4
millionattackattemptsin2015to638millionin2016,a167xyearoveryear
increase.Theseattacksweretypicallydeliveredbyphishingcampaignsand
hiddenfromdetectionusingSSL/TLSencryption.Theriseofransomwareasa
service(RaaS)madeiteasierthaneverforcybercriminalstoaccessanddeploy
ransomware.Asaresult,manyorganizationsstruggledtofindanswersonhow
toprotectthemselvesandhowtoproperlyrespondtothedilemmasraisedby
thisnewbreedofcyberthreat.

Securityteamswerealsofacedwiththerapidevolutionofotherthreats.
InternetofThings(IoT)devicesweresuccessfullycompromisedonamassive
scaleandusedtomountdistributeddenialofservice(DDoS)attacksthat
disruptedhighprofilecompaniesincludingAirbnb,Netflix,Reddit,Twitterand
Spotify.CybercriminalsalsofoundnewwaystocompromiseAndroidTMdevices
usingoverlayattacks,despiteoperatingsystemsecurityupdates.

32017SonicWallAnnualThreatReport


Ascybersecurityentersaneweraofautomatedbreachprevention,notjust
breachdetection,securitycompaniesmaybegintoachieveevengreater
victoriesinthecyberarmsrace.Butitsultimatelyuptothebusinessesatthe
centerofthefighttoensuretheyrearmedforbattle.ThegoaloftheSonicWall
AnnualThreatReportistodefinethecybersecuritybattlefieldinordertoenable
companiesandindividualsaroundtheworldtomountanimpenetrabledefense
in2017andbeyond.

42017SonicWallAnnualThreatReport

Dataforthe2017SonicWallAnnualThreatReport
wasgatheredbytheSonicWallGRIDThreatNetwork,
whichsourcesinformationfromglobaldevicesand
resourcesincluding:
Morethan1millionsecuritysensorsinnearly200countries
andterritories
CrossvectorthreatrelatedinformationsharedamongSonicWall
securitysystems,includingfirewalls,emailsecurity,endpoint
security,honeypots,contentfilteringsystemsandSonicWall
Capturemultienginesandboxtechnology
SonicWallmalwareanalysisautomationframework,fully
developedinternally
Malware/IPreputationdatafromtensofthousandsoffirewalls
andemailsecuritydevicesaroundtheglobe
Sharedthreatintelligencefrommorethan50industry
collaborationgroupsandresearchorganizations
Intelligencefromfreelancesecurityresearchers
Spamalertsfrommillionsofcomputerusersprotectedby
SonicWallemailsecuritysolutions

52017SonicWallAnnualThreatReport

 Thecreationofnewpointofsalemalware
declinedby93percentsince2014after
highprofileretailbreachesledtomoreproactive
securitymeasuresacrosstheindustry.
If2016wastheyearofransomware,2014wastheyearofpointofsale(POS)
malwareattacks.Thatyear,theSonicWallGlobalResponseIntelligence
Defense(GRID)ThreatNetworkobserveda333percentincreaseinthe
numberofnewPOSmalwarecountermeasuresdevelopedanddeployed
comparedwiththeyearprior.Thisfindingcameasnosurprisetomembersof
theretailandcybersecurityindustries,aswesawwellknowncompanies
includingHomeDepot,Target,Michaels,Staplesandmanyotherssuffer
massivedatabreachesin2014,exposingthecreditcarddataforhundredsof
millionsofconsumers.i,ii,iii

Sincethenmanyretailershaveupgradedelementsoftheirsecurityprograms
tobetterprotectcustomerdataandavoidarepeatperformanceof2014.
Retailersnowhaveabetterunderstandingofthevulnerabilitiesandrisks
theirdigitalenvironmentspresentandhowtodefendagainstattacksusing
thePaymentCardIndustryDataSecurityStandard(PCIDDS)checklistand
otherongoingsecuritymeasures.Perhapsthesinglelargestshiftweveseen
since2014hasbeenthewideradoptionofchipbasedPOSsystemsin
countriesthatwereyearsbehindonthistechnology,suchastheUnited
States.ChipbasedPOSsystemsensureeverytransactionisissuedaunique
verificationcodethatcanonlybeusedonce.Comparedwithtraditional
creditcardsfeaturingmagneticstripswithstaticdata,chipcardsaremuch
moredifficulttofakeandalsomoredifficulttostealusableinformation
from.iv

Thanksatleastinparttothesepositivesecuritytrends,theSonicWallGRID
ThreatNetworksawthenumberofnewPOSmalwarevariantsdecreaseby
88percentsince2015and93percentsince2014.Thisimpliesthatcyber
criminalsarebecominglessinterestedindevotingtimetoPOSmalware
innovation.WhileweshouldnotreadthisasasignthatPOSmalwareis
disappearing,itsclearthatcyberthieveshavebeenfocusedelsewherein
recentmonths.Anditsanevenbettersignthatwhenanindustrytruly
makessecurityapriority,positivechangescanhappen.

62017SonicWallAnnualThreatReport



SecureSocketsLayer/TransportLayerSecurity
encryptedtrafficgrewby38percent,partlyin
responsetogrowingcloudapplicationadoption.
ThetrendtowardSecureSocketsLayer/TransportLayerSecurity(SSL/TLS)
encryptionhasbeenontheriseforseveralyears.Aswebtrafficgrew
throughout2016,sodidSSL/TLSencryption,from5.3trillionwebconnectionsin
2015to7.3trillionin2016accordingtotheSonicWallGlobalResponse
IntelligenceDefense(GRID)ThreatNetwork.Themajorityofwebsessionsthat
theSonicWallGRIDThreatNetworkdetectedthroughouttheyearwereSSL/TLS
encrypted,comprising62percentofwebtraffic.

Asameansofprotectingprivacyanddataintegrity,thegrowthofSSL/TLS
encryptionisundeniablyapositivetrend.SignifiedbyaHTTPSURLandlockicon
onbrowsers,SSL/TLSencryptionwasprimarilydevelopedtoprovidesecure
authenticationonthewebforecommerceandotherfinancialtransactions.
However,ithasbecomemorewidespreadasawayofprotectingprivacyand
securityonwebsitesthatdidnotoriginallyrequireencryption,suchassearch
enginesandsearchresults.

OnereasonfortheincreaseinSSL/TLSencryptionisthegrowingenterprise
appetiteforcloudapplications.Ascloudapplicationshaveimprovedtheir
featuresetsandproventheirreliabilityovertime,theyvebecomeamoreviable
optionforenterprisesthatappreciatethefacttheyaremoreaffordable,easier
toimplementandlesstaxingtomanagethanapplicationshostedonpremise.
TheSonicWallGRIDThreatNetworkhasseencloudapplicationtotalusagegrow
from88trillionin2014and118trillionin2015to126trillion
in2016.SSL/TLSencryptionwrapsaroundallinteractionwith
cloudservices,whichcouldaccountforsomeoftheSSL/TLS
trafficgrowth.NSSLabspredictsthatSSL/TLStrafficwill
accountfor75percentofonlineinteractionsby2019.v

Thisgrowthislikelytospikeevenfurtherin2017thankstoGooglesSeptember
2016announcementthat,beginninginJanuary2017,theGoogleChrome
browserwouldmarkallHTTPsitescollectingpasswordsorcreditcardsasnot
secure.Thecompanywentontostatethiswaspartofalargerplanto
eventuallymarkallHTTPtrafficassuch.vi

WhilethistrendtowardSSL/TLSencryptionisoverallapositiveone,italsomerits
awordofcaution.AswevediscussedinpastSonicWallAnnualThreatReports,
SSL/TLSencryptionmakesitmoredifficultforcyberthievestointerceptpayment
informationfromconsumers,butitalsoprovidesanuninspectedandtrusted
backdoorintothenetworkthatcybercriminalscanexploittosneakinmalware.

72017SonicWallAnnualThreatReport

NSSLabsreportedseeinganincreaseinboththenumberandsophisticationof
threatsthatleveragedencryption,observinga72percentyearoveryeargrowth
inthistypeofattack.vii

Thereasonthissecuritymeasurecanbecomeanattackvectoristhatmost
companiesstilldonothavetherightinfrastructureinplacetoperformdeep
packetinspection(DPI)inordertodetectmalwarehiddeninsideofSSL/TLS
encryptedwebsessions.Whilemostnextgenerationfirewallsareequippedto
performDPI,theytypicallysuffersuchamassivelossofperformancewhendoing
sothatitisntviableforcompaniestoenablethisfeature.Unfortunately,without
theseprotectionsinplace,therestofacompanyssecuritypostureismootas
themajorityoftrafficenteringthenetworkisnotbeinginspected.

Simplyput,SSL/TLSencryptionremainsamixedbagforsecurityteams.
OrganizationsthatdontinspectSSL/TLStrafficareshuttingtheireyestowell
overhalfofwhatsenteringtheirnetworks.Butcompanieswhoareprepared
andvigilantforthreatslurkinginencryptedtrafficwillenjoyanunprecedented
levelofprivacyandsecurityasaresultofthischangingtide.

82017SonicWallAnnualThreatReport

 DominantexploitkitsAngler,NuclearandNeutrino
disappearedinmid2016.
As2016began,themalwaremarketwasdominatedbyahandfulofexploitkits,
particularlyAngler,NuclearandNeutrino.However,followingthearrestofmore
than50RussianhackersforleveragingtheLurkTrojantocommitbankfraud,
theAnglerexploitkitsuddenlystoppedappearing.

ThecoincidenceseemedunlikelyenoughthatmanybelieveAnglerscreators
wereamongthosearrested.viiiForawhilefollowingAnglersdisappearance,
NuclearandNeutrinosawasurgeinusage,beforequicklyfadingoutaswell.

Tofillthisvoid,theremainingexploitkitsbegantofragmentintomultiple,
smallerversions.TheSonicWallGlobalResponseIntelligenceDefense(GRID)
ThreatNetworkobservedthatbythethirdquarterof2016,theRigexploitkit
hadevolvedintothreeversionsleveragingdifferentURLpatterns,landingpage
encryptionandpayloaddeliveryencryption:Rigstandard;RigV,alsoknownas
RigVIPversion;andRigE,ortheEmpireversion.AsNeutrinosstandardversion
fadedaway,NeutrinoV,knownastheVIPversion,startedappearing.

Asdifferentversionsoftheseexploitkitswereintroduced,theyevolvedto
utilizemultiplelevelsofobfuscationratherthansimpleJavaScriptobfuscation.
InthecaseofRig,SonicWallobservedtheuseofcryptographicalgorithmsto
obfuscatelandingpagesandpayloads.

Aswithspamandotherdistributionmethodsin2016,SonicWallsawexploitkits
becomepartoftheransomwaredeliverymachine,makingvariantsofCerber,
Locky,CrypMIC,BandarChor,TeslaCryptandotherstheirprimarypayloads
throughouttheyear.

However,exploitkitsneverreallyrecoveredfromthemassiveblowthey
receivedearlyintheyearwiththetakedownoftheirdominantfamilies.As
securityteamscontinuetodiscoverandexposehighprofilecyberattackers,we
canhopetoseethedownfallofmanyotherpervasivethreatsin2017.

92017SonicWallAnnualThreatReport

 Ransomwareusegrewby167xyearoveryearand
wasthepayloadofchoiceformaliciousemail
campaignsandexploitkits.
Themeteoricriseofransomwarein2016isunlikeanythingweveseeninrecent
years.TheSonicWallGlobalResponseIntelligenceDefense(GRID)Threat
Networkdetectedanincreasefrom3.2millionransomwareattackattemptsin
2014and3.8millionin2015toanastounding638millionin2016.Bytheendof
thefirstquarter,$209millioninransomhadbeenpaidbycompanies,andby
mid2016,almosthalfoforganizationsreportedbeingtargetedbya
ransomwareattackintheprior12months.ix

TheSonicWallGRIDThreatNetworkobservedransomwareattacksagainst
businessesofallsizesthroughouttheyear.Whilemanyvictimsofransomware
chosenottopublicizetheattacks,severalbreachesreceivednationalattention.
HollywoodPresbyterianMedicalCenterinLosAngelesadmittedtopaying
$17,000inbitcointoregainaccesstoitsdatainFebruary2016,whilethe
LansingBoardofWater&Light(BWL)revealedtheypaidransomwareattackers
$25,000inApril2016.x,xiIntheU.K.inSeptember2016,hosteddesktopand
cloudproviderVESKhandedover29bitcoins,worthabout$22,800USDatthe
time.xiiAndinNovember2016,theSanFranciscoMunicipalTransitAuthority
hadtoopenitsfaregateswhenaransomwareattacktookdownitspayment
andemailsystems,demanding100bitcoins,orabout$73,000atthetime.xiii

102017SonicWallAnnualThreatReport

Eachoftheseorganizations,andthecountlessotherswhowerehitwith
ransomware,facedanurgentandterrifyingdecision:whetherornottopaythe
ransom.Thosewhooptedtopayweresometimesabletonegotiatealower
ransomtoregainaccesstotheirsystems.Some,liketheKansasHeartHospital
thatwasattackedinMay2016,paidtheransomonlytostillbedeniedaccessto
theirdata.xiv

Sadly,whethertheransomwaspaidornot,thetotalcostoftheseattackscould
beenormous.Only42percentofcompaniesattackedwereabletofullyrecover
theirdatafromabackup.xvWhiletheLansingBWLpaid$25,000inransom,
administratorsrevealedthatrespondingtotheattackcostthem$2.4million,
with99percentofthecostcoveringtheircyberemergencyresponseteam;
stabilizationandrestorationefforts;andenhancementstocybersecurity
technologyandpersonnel.xviAddtothatthelikelihoodofincreasedinsurance
premiumsandthecostswillcontinuetomountinthemonthstocome.Itisa
steeppricetopaysimplybecauseanemployeeopenedacompromisedfile.xvii

Theunprecedentedgrowthofransomwarewaslikelydrivenbyeasieraccessin
theundergroundmarketandsupportedbythelowcostofconductinga
ransomwareattack;theeaseofspreadingit;andthelowriskofbeingcaughtor
punished.Theriseofransomwareasaservice(RaaS)maderansomware
significantlyeasiertoobtainanddeploy.Individualswhowantedtoprofitfrom
ransomwaredidntneedtobeexpertcoders,theysimplyneededtodownload
anddeployamalwarekit.SomeRaaSprovidersofferedtheirmalwareforfree,
whileotherschargedaflatrate,typically$100orless,orapercentageofthe
takeoften20percent.xviii,xix

Anotherfactordrivingtheusageofransomwarewasthemassadoptionof
Bitcoin.Beforecryptocurrencies,ransomwareattackssimplywerenotfeasible
duetotherisksassociatedwithacceptingtrackablepayments.

Throughouttheyear,theSonicWallGRIDThreatNetworkdiscoveredafewkey
ransomwaretrends:

Ransomwareremainedonanupwardclimbthroughouttheyear.
SonicWallGRIDThreatNetworkdatashowedthatransomware
attackswerenotlikelytodecreasegoinginto2017,astheincidence
continuedtorisequarteroverquarterthroughtheendof
December2016.ThefirstmajorspikecameinMarch2016when
ransomwareattackattemptsshotupfrom282,000to30million
overthecourseofthemonth,forafirstquartertotalof30.9million
hits.Thisupwardtrendcontinuedthroughouttheyear,withthe
fourthquarterclosingat266.5millionransomwareattackattempts.
Themostpopularpayloadformaliciousemailcampaignsin2016was
ransomware,typicallyLocky.Nemucod,aTrojandownloaderusedto
distributeransomware,wasutilizedin79percentofmalwaredelivering
spamattacksin2016.Contrastthiswith2015,whenthemostpopular

112017SonicWallAnnualThreatReport

 malwarevariantsdistributedthroughspamweredatastealingTrojans
fromtheDridexfamily.Lockywasbyfarthemostdeployedransomware,
utilizedinabout90percentofNemucodattacksandmorethan500
milliontotalattacksthroughouttheyear,comparedwithsecondfavorite
Petya,whichwasonlyusedin32millionattacks.Lockywasmost
commonlydeliveredviaemailasaMicrosoftWorddocumentattachment
undertheguiseofaninvoicefromavendorrequiringpayment.Whenthe
targeteduserwouldopentheattachment,heorshewouldbeinstructed
toenablemacros,whichwouldsetoffachainreactionleadingtothe
encryptionoftheusersfilesandtheserviceofaransomdemand.
Noindustrywassparedfromransomwareattackattempts.Industry
verticalsweretargetedalmostequally,withthemechanicalandindustrial
engineeringindustryreaping15percentofaverageransomwarehits,
followedbyatiebetweenpharmaceuticals(13percent)andfinancial
services(13percent),andrealestate(12percent)inthirdplace.
Exploitkitsbeganusingransomwareasapayload.In2015,wesaw
exploitkitsdeliveringmalwaresuchasworms,downloaders,infostealers
andbotnets.However,theSonicWallGRIDThreatNetworkdiscovered
thatmostofthemalwaredistributedbyexploitkitsin2016was
ransomware,commonlyfromtheLocky,Cerber,CrypMIC,BandarChor,
TeslaCryptfamiliesandothers.
CompaniesintheUnitedKingdomwere3xaslikelyasUnitedStates
companiestobetargetedbyransomware.TheSonicWallGRIDThreat
NetworkobservedthattheUnitedStatesexperiencedthehighest
numberofransomwareattacksin2016duetothelargevolumeof
businesses.However,companiesintheUnitedKingdomwerealmost
threetimesaslikelyasU.S.companiestobetargetedwithransomware,
whenaccountingforthesmallernumberofbusinessesintheU.K.andthe
highsaturationofransomware.Ontheotherhand,Chinawasleastlikely
tobetargeted,possiblyduetothecountrysrestrictedaccesstoBitcoin
andlowusageofTor.xx,xxi

Withthehighlikelihoodofbecomingatargetforransomware,itsimportantfor
allorganizationstobackuptheirdatacontinuouslytoabackupsystemthatis
eithernotalwaysonlineorutilizesauthentication.Thiswillhelpensurethatif
yourehitwithransomware,youdontaccidentallyreverttoanencryptedbackup.

122017SonicWallAnnualThreatReport

 InternetofThingsdeviceswerecompromisedona
massivescaleduetopoorlydesignedsecurityfeatures,
openingthedoorfordistributeddenialofserviceattacks.
Withtheirintegrationintothecorecomponentsofourbusinessesandlives,
InternetofThings(IoT)devicesprovideanenticingattackvectorforcybercriminals
whoarebecomingmoreinterestedasIoTbecomesincreasinglywidespread.

IoTattackssurgedin2016forafewreasons.IoTdevelopersandstartupshave
beenunderpressuretobeatcompetitorstomarket,oftenleadingthemto
launchtheirdeviceswithoutfullybakedsecurityfeaturesinplace.Thatsame
lackofsecurityfocusmeansunsecuredonboardingexperiencesinwhich
usersareneverpresentedwithanoptiontochangetheirpasswordfromthe
default.Furthermore,whencyberthievesdiscoveraweaknessinadevices
firmware,theyareabletoexploititadinfinitum,asthemanufacturerrarely
hasateamdedicatedtoupdatingandpatchingthoseissuesorinforming
userstheyvebeencompromised.Withoutanyregulations,guidelinesor
accountabilityforIoTdevicemakers,theworldofIoThasbecomeamassive,
managementenvironmentandaplaygroundforcybercriminals.

ThesesecuritygapsinIoTdevicesenabledcyberthievestolaunchthelargest
distributeddenialofservice(DDoS)attacksinhistoryduring2016.InSeptember
andOctober2016,attackersleveragedhundredsofthousandsofIoTdeviceswith
weaktelnetpasswordstolaunchDDoSattacksusingtheMiraibotnetmanagement
framework.ThefirstsignificantattackwasonhostingcompanyOVHandthe
secondonmajorDNSserviceproviderDyn,whichcausedserviceoutagesfor
prominentwebsitesincludingAirbnb,Netflix,Reddit,Twitter,Spotifyandmany
others.xxii,xxiii,xxiv

Whiletheexactcostoftheseattackshasnotbeenrevealed,DDoSattacksin
generalareestimatedtocostbusinessesanaverageof$22,000perminute,
withthecostrangingashighasover$100,000perminute.xxvWiththeaverage
DDoSattacklastingsixhours,thefinancialimpactcanbeenormous.

TheSonicWallGlobalResponseIntelligenceDefense(GRID)ThreatNetwork
observedvulnerabilitiesinallcategoriesofIoTdevicesin2016,including
smartcameras,smartwearables,smarthome,smartvehicle,smart
entertainmentandsmartterminals.DuringtheheightoftheMiraisurgein
November2016,SonicWallfoundtheUnitedStateswasbyfarthemost
targeted,with70percentofDDoSattacksdirectedtowardstheregion,
followedbyBrazil(14percent)andIndia(10percent).

TopreventyourIoTdevicesfromfallingvictimtoaDDoSattack,makesureyour
devicesarebehindanextgenerationfirewallwhichscansforIoTspecific
malwarelikeMirai.ItisalsocriticaltosegregateallIoTdevicesonaseparate
zonefromtherestofthenetworkincasethedevicebecomescompromised.

132017SonicWallAnnualThreatReport



IoTDDoSAttacks
Top3countriestargetedbyDDoSattacksin
NovemberduringtheheightoftheMiraibotnetsurge

142017SonicWallAnnualThreatReport

 Androiddevicessawincreasedsecurityprotections
butremainedvulnerabletooverlayattacks.
TheresnoquestionGoogleworkedhardin2016topatchthevulnerabilitiesand
exploitsthatcybercriminalshaveusedagainstAndroidinthepast.Inthefirst
quarter,wesawtheslowbutsteadyadoptionofthenewAndroidoperating
system,AndroidMarshmallow6.0,whichwasdesignedwithadditionalsecurity
featuresincludingarevampedapproachtopermissiongranting,morefrequent
securitypatchesandfulldiskencryption.GooglefollowedthatwithAndroid7.0
Nougat,whichincorporatedadditionalsecuritymeasures.xxvi,xxvii

However,attackersusednoveltechniquestobeatthesesecuritymeasuresand
Androidremainedapopular,riskpronetargetin2016:

Cybercriminalsleveragedscreenoverlaystosteallogininformation
andotherdata.Whereoverlayshavebeenusedinthepasttodeliver
ransomdemandstoransomwarevictims,attackersusedthemin2016
tomimiclegitimateappscreensandtrickusersintoenteringsensitive
data.TheSonicWallGlobalResponseIntelligenceDefense(GRID)
ThreatNetworkobservedthisfunctionalitybeingusedinmultiple
AndroidBankercampaignsandothers.xxviiiWhenAndroidresponded
withnewsecurityfeaturestocombatoverlays,SonicWallobserved
attackerscircumventingthesemeasuresbycoaxingusersinto
providingpermissionsthatallowedoverlaystostillbeused.xxix
WithHummingBad,adfraudmalwareevolvedtoalsoseekroot
access.HummingBadmalwarebombardedvictimsAndroiddevices
withaninsupportablenumberofadvertisements.Whilethefocusof
HummingBadseemedtobegeneratingrevenuebasedonaccidentalad
clicks,themalwarealsogaveattackersrootaccesstovictimsdevices,
implyingamoresinisterattackmightstillbeonthehorizon.xxx
Androidmalwareleveragedtheaidofsecuritytestingtoolslike
Metasploit.WhenMetasploitpenetrationtestingaddedtheabilityto
infiltrateAndroiddevices,theSonicWallGRIDThreatNetwork
observedmalwarestrainsthatcontainedtheseAndroidspecific
Metasploitmodules.Thisindicatesthatmalwareauthorshavebegun
usingMetasploitasanaidtoinfectAndroiddevices.xxxi
CompromisedadultcentricappsdeclinedonGooglePlaybut
continuedtofindvictimsonthirdpartyappstores.Ransomwarewas
acommonpayload,butsowereselfinstallingapps.TheSonicWallGRID
ThreatNetworkobservedmorethan4,000distinctappswithself
installingpayloadsinamatteroftwoweeks.xxxii,xxxiii
DressCodegaveusatasteofwhatcorporateAndroidmalware
couldlooklike.SonicWallobservedathreatacrossmultiple
AndroidappsthatusedtheSocketSecure(SOCKS)protocolto
establishaconnectionwiththeattackerscommandandcontrol
server,turningtheusersdeviceintoaproxy.Inthis

152017SonicWallAnnualThreatReport

 way,attackerscouldcircumventcompanyfirewallsandaccessany
resourceconnectedtotheinfecteddevice.Noknownvictimshave
beenidentifiedatthistime,however,wecaninterpretDressCode
asasignofthreatstocome.xxxiv

IfyourcompanyusesAndroiddevices,keeptheoptiontoinstallapplications
fromunknownsourcesuncheckedandbothoptionstoverifyapplications
checked.Avoidrooting,andinstallantivirusandothermobilesecurityappsfor
Androiddevices.Enableremotewipeincaseyourdeviceisstolenor
compromisedwithransomware.

162017SonicWallAnnualThreatReport

 Predictionsfor2017
Themoreclearlywecandeterminecyberattackerscurrentfocus,thebetter
wecaninfertheirnextmoves.Understandingthattodayscybercriminalsare
highlymotivatedtolaunchloweffort,quickpayoutattacksandhavebeen
experimentingwithInternetofThings(IoT)andothernewmethodsofattack,
wecanpredictsomeelementsofthethreatterrainahead.

PointofSaleMalware
Pointofsalemalwareinnovationwillremainlowasthieves
continuetoenjoythequickerpayoffandrelativeeaseoflaunching
ransomwareattacks.

SSL/TLSEncryption
EncryptedmalwareandadvancedthreatswillgrowasHTTPSweb
connectionsbecomestandardacrossindustries.

ExploitKits
Theexploitkitthreatlandscapewillremainfragmentedamong
newandsmallerexploitkitsafterthedownfallofmajorplayerswe
sawatthebeginningof2016.Inaddition,multipleversionsofeach
exploitkitwillremaininthewild.
Wellseeanadditionalemphasisonransomwareasthepayloadof
choiceforexploitkitsasitmagnifiesandthrivesbeyondthe
healthcareandfinancialindustries.

Ransomware
Themovementtoransomwareasaservice(RaaS)willcontinue
tomakeransomwareavailabletoabroaderrangeofless
sophisticatedcyberthreatactors,whoarelikelytouse
additionaldeploymenttechniquesastheygrowinexperience
andconfidence.
AttackerswillbegintousemalwaretotakecontrolofIoT
devicesanddemandransomassoonasthosedevicesreach
greatersaturationinhouseholdsandcorporateenvironments.
Forexample,athiefcouldpotentiallysuspendcompany
productionlines,citypowergrids,fleetsofdeliveryvehiclesor
evenconnectedpersonalhealthdeviceslikepacemakersin
exchangeforransom.

172017SonicWallAnnualThreatReport

 Ransomwareattackswillbecomemorecreativeasattackers
identifymorerepositoriesofvaluabledatathattheycanexploit.
Forexample,ransomwarehasalreadyexpandedtoattackpoorly
securedwebsitesanddatabasesontheweb,holdingentiresitesor
databasesforransomduetoITadministratorsfailuretokeepup
withbestsecuritypractices.
Emailwillcontinuetobeahighlyeffectivedistributionvectorfor
ransomwareascompaniesscrambletoputmoreeffective
advancedthreatpreventionsystemsandemployeetraining
proceduresinplace.

InternetofThings
IoTbaseddistributeddenialofservice(DDoS)attackswillcontinue
afterthesuccessoftheMiraibotnetsmodelandmaybeginto
morefrequentlytargetecommercesitesandothersthatheavily
dependonuptimeforprofitability.DDoSattacksmayalsoserveas
adiversionforsimultaneousexfiltrationattacks.
ThemasscompromiseofIoTdeviceswillbeusedforfinancialgain
inwaysbeyondDDoSattacks.Wemaybegintoseelargeprivacy
leakincidentsinvolvinglocationdata,cameravideosandhealth
relatedinformation.
AttackersmaybegintoexploitIoTvulnerabilitiestotakecontrolof
property,forexamplebystealingadroneortakingcontrolofasmart
carssteeringwheel.

AndroidMalware
RansomwarewillcontinuetoplaguetheAndroidecosystem,as
mobiledevicestypicallycontainsensitiveuserdataandmanydo
notutilizecloudbackup.
Overlaybasedmalwarewillcontinuetoincreaseinnumbers.
MalwareauthorswilllookforwaystotargetAndroidfingerprint
readers.
WecanexpecttoseemoreAndroidmalwarethatmakesuseof
thirdpartytoolsandservicestoincreasetheattackpotency.
AsAndroidAutoandAndroidPaybecomemoremainstream,
malwarecreatorswilltrytoleveragethesenewthreatvectors.
FlashandSilverlightwillcontinuetobethemajortarget
applicationsforexploitkits.HoweverwiththedecreaseofFlash
usage,thenumberofexploitskitsleveragingthemwilldecline.

182017SonicWallAnnualThreatReport

 BestPracticesforanEffective
SecurityProgram
Withthedeclineofpointofsale(POS)malwarevariantsandexploitkits,itsclear
thattherecanberealandviableprogressinthewaragainstcybercriminals.The
toolsandresourcesavailabletoorganizationshaveneverbeenmorecapableof
creatingandsupportingasupremelevelofsecurity.However,itfallstoeach
individualsecurityteamtofollowbestpracticesfortheirinfrastructure.

Buildahumanfirewallbyteachingyouremployees,especiallythose
dealingwithpayments,howtodealwithpotentialthreats,suchas
maliciousemailsandsuspiciouspopups.Tellyourusersneverto
acceptaselfsigned,nonvalidcertificate.
IsolatethecorporatenetworkenvironmentintoLAN,WLANandVLAN
zonesandimplementmultifactorauthenticationforcrossvisiting.
Isolatecriticalsystems,InternetofThings(IoT)devicesandPOS
systemsaswell.
Deployanextgenerationfirewallthatiscapableofhighperformance
SecureSocketsLayer/TransportLayerSecurity(SSL/TLS)inspection
enabledtoensureyouareabletoinspectalltrafficregardlessofports,
protocolsorfilesize,decompressinganddecryptingeverypacketand
examiningeverybytetoidentifythreatsquickly.
Standardsandboxingsolutionsdonotcatchencryptedmalwaresince
theycannotseeinsideencryptedtraffic.SSL/TLSinspectionisa
necessity,asisanetworksandboxthatwillblocktrafficuntilitreaches
averdictandnotonlydetectzerodayattacksbutpreventtheminan
automatedfashion.
Addcontentfilteringtokeepusersfromvisitingdubioussites,anduse
agatewayantivirusandintrusionpreventionsystemtoprotectthem
fromcompromisedgoodsites.
Fororganizationswhodofallvictimtoaransomwareattack,before
revertingtoabackupitssmarttoensureitsarealattackbyidentifying
thenameoftheransomware.Thisisofteneitherpresentedinthe
ransomnoteordiscoverablebysearchingthesupportemailaddress
provided.Ifidentifyingthenameisdifficult,itsworthtryingtoclose
outofthescreenusingAltF4onWindowsorCommandWonMacOS
Xorforcingthedevicetorestart.Theabilitytoclosearansomware
promptisoftenasigntheransomwareisfake.xxxv
Keepallsoftware,includingbrowsers,operatingsystemsandIoT
firmware,uptodatewithsecuritypatches.
Updateyoursecuritysettingstoincreasebrowsersecuritylevels,
disableremotedesktopprotocol(RDP)andselectShowFile

192017SonicWallAnnualThreatReport

 Extensions.AlsobesuretorestrictMicrosoftOfficefilescontaining
macros.
Deployanenforcedendpointsolutionsoyoucandetectasystemthats
beencompromisedoutsidethenetworkandflagitforremediation.
Applywebbrowserplugins,suchastheNoScriptpluginfor
Firefox/Chrome,tocontrolscriptexecution.
Ensureyouareusingmultiplelayersofdefenseandproperlyintegrated
products.Startwithasecuritypolicythattrustsnothing(network,
resources,etc.)andnobody(vendors,franchisees,internalpersonnel,
etc.),andaddexceptionswhereneeded.

202017SonicWallAnnualThreatReport

 FinalTakeaways
Asthecyberarmsracecontinues,thethreatlandscapeiscontinuallyshapeshifting.
Theabundanceofaffordableandavailableransomwaremakesiteasierthanever
forattackerstoachieveaquickpayout.Meanwhile,thenumberofthreatvectors
andinsecuritieswithinatypicalorganizationareonlygrowingandbecomingmore
entrenched.Itsunsurprisingthatmanyoftodayscyberattacksarelaunched
throughemailorlurkinginthe62percentofwebtrafficthatisencrypted.

Butthegoodnewsistodayscybersecuritytechnologyismorethancapableof
protectingorganizationsfromthevastmajorityofattacks.Legacyfirewallsmay
onlypreventagainstknownthreatsandearlynextgenerationfirewalls(NGFWs)
arelimitedtodetecting,notpreventingzerodayattacks.Butsomemodern
NGFWsareremarkablygoodatnotonlydetectingbutpreventingransomware,
datatheftandthefullassortmentofadvancedthreats.

Tobeeffectiveagainsttodaysthreats,firewallsmustblockfilesuntiltheycan
bescannedandfoundtobeinnocuous,blockingzerodaythreatsatthe

gateway.Sincemostadvancedthreatsenterorganizationsthroughemail,
sandboxesshouldextendtocoveremailsecurityappliances.Atthesametime, Itsnotenoughto
companiesmustleverageSecureSocketsLayer/TransportLayerSecurity
thinklikeasecurity
(SSL/TLS)decryptiontechnologytoensurethatzerodaythreatsarentlurkingin
encryptedtrafficcomingintothenetwork.Byutilizingthesethreeseparate professional,you
techniquesforfindingzerodays,businessescandramaticallyimprovetheir
securityeffectivenessoverasingleengineapproach,makingitvirtually mustthinklike
impossibleformalwaretosucceed.

Inordertocontinuegaininggroundagainstcyberthreats,companiesofallsizes anattacker
needtoreexaminetheirsecuritybestpracticesandidentifywherevulnerabilities
totrulysee
maybeevident.Itsnotenoughtothinklikeasecurityprofessional,youmust
thinklikeanattackertotrulyseewhereyourprogramisweak. whereyour
Startwiththefollowingquestions: programisweak.
Arewesegmentingatriskcomputersfromcriticaldataandservices?
Areweleveragingadvancednetworkdetectionfeatures,includinga
multienginesandboxthatsupportsautomatedprevention?
Dowebackupandsecurelystoreourcriticaldataoffline?Havewe
performedteststoensurewecanreverttothatdataifneeded?When
wasthelasttimewepracticedourincidentresponseplan?
Dowecontinuallymonitorandpatchknownvulnerabilities?
Doweengageinapplicationwhitelisting,onlyallowingapproved
programstorunonournetworks?Arewelimitingtheabilityforhigh
riskapplicationstorunonournetwork?
Dowehaveacompleteanddocumentedcybersecurityriskanalysisfor
ourorganization?

212017SonicWallAnnualThreatReport

 Whichbusinessoperationsaremissioncritical,whichcanwecontinue
without,andhowlongcanweoperatewithoutthem?
Dowehaveaneffectivehumanfirewall,includingcontinualtraining
ofstaffonbestpracticesforrecognizingandavoidingspamand
malware?
Haveweattemptedtohackourownsystems?Ifso,didweaddressany
vulnerabilitieswefoundandaddwhatwelearnedtoourincident
responseplan?Haveweconductedastandardsecuritypenetration
testonourpublicfacingportals?

Asthemalwareandattacklandscapecontinuestoevolve,securityteamswill
continuetoinnovateswiftlyanddecisivelytocutcybercriminalsoffatevery
turn.Thetoolsthattodaysbusinessesneedtoemergevictoriousagainstcyber
criminalsarereadilyavailable,andasthievescontinuetoinnovatesecurity
solutionswillcontinuetoevolveinlockstep.

Butneithersecurityteamsnorcybercriminalsareatthecenterofthebattle.The
onesinthetrenchesaretheenterprises,SMBsandorganizationsaroundthe
globethatarebeingtargetedbycybercrimeonadailybasis.Theoutcomeofthis
cyberwarisuptoyou.Equipyourselfdailywitharenewedunderstandingofthe
shiftingbattlefield.Thentakeuparmsandbepreparedwithastrongand
strategicdefense.

Overa25yearhistory,SonicWallhasbeentheindustrystrustedsecuritypartner.OnlySonicWallcanuniquelydeliveranendto
end,automated,realtimebreachpreventionsolutionthatcanmanagethreatsacrossanydeliveryvehicle,packagetype,network
anddevice.SonicWallsnextgenerationfirewalls,highperformanceSSLinspection,Capturemultienginecloudsandboxservice,
SonicPointwirelesssecurity,emailsecuritywithencryptionandantiphishingprotection,andSSLsecuremobileaccessareallbuilt
uponablockuntilverdictfoundationthatdeliverstrueautomated,realtimebreachpreventiontohelporganizationsprevent
todaysadvancedthreats.

Thecomplete2017SonicWallAnnualThreatReportisavailableonlineat
https://www.sonicwall.com/whitepaper/2017sonicwallannualthreatreport8121810/

222017SonicWallAnnualThreatReport

 Resources

iMichaelRiley,BenElgin,DuneLawrence,andCarolMatlack,MissedAlarmsand40MillionStolenCreditCardNumbers:HowTargetBlewIt,Bloomberg

Businessweek,March13,2014,
http://www.businessweek.com/articles/20140313/targetmissedalarmsinepichackofcreditcarddata
iiGeneMarks,WhyTheHomeDepotBreachIsWorseThanYouThink,Forbes,September22,2014,

http://www.forbes.com/sites/quickerbettertech/2014/09/22/whythehomedepotbreachisworsethanyouthink/
iiiKatieLobosco,MichaelsHackHit3Million,CNNMoney,April18,2014,

http://money.cnn.com/2014/04/17/news/companies/michaelssecuritybreach/
ivSiennaKossman,8FactsaboutEMVcreditcards,Creditcards.com,December20,2016,http://www.creditcards.com/creditcardnews/emvfaqchipcards

answers1264.php
v
JasonPappalexis,TLS/SSL:WhereAreWeToday?,NSSLabs,October24,2016,http://www2.nsslabs.com/l/46762/20161017/4fy6lv
vi
EmilySchechter,Movingtowardsamoresecureweb,Google,September8,2016,https://security.googleblog.com/2016/09/movingtowardsmoresecure
web.html
viiJasonPappalexisandJayhendraPathak,TheEncryptedWeb:Part2MaliciousTraffic,NSSLabs,December13,2016,https://www.nsslabs.com/research

advisory/library/industry/encryption/theencryptedwebpart2malicioustraffic/
viiiKevinTownsend,DidAnglerExploitKitDiewithRussianLurkArrests?SecurityWeek,June13,2016,http://www.securityweek.com/didanglerexploitkit

dierussianlurkarrests
ixRoundup:RansomwareStatistics2016[Infographic],ArmadaCloud,2016,http://www.armadacloud.com/roundupransomwarestatistics2016/

xTrevorMogg,HollywoodHospitalPays$17,000toRansomwareHackers,DigitalTrends,February18,2016,

http://www.digitaltrends.com/computing/hollywoodhospitalransomwareattack/
xiBradleyBarth,Lansing,Mich.,utilityadmitspayingransomwaredemand,SCMagazine,November10,2016,https://www.scmagazine.com/lansingmich

utilityadmitspayingransomwaredemand/article/572180/
xiiKatHall,VESKcoughsup18kinransomwareattack,TheRegister,September29,2016,

http://www.theregister.co.uk/2016/09/29/vesk_coughs_up_18k_in_ransomware_attack/
xiiiSamuelGibbs,RansomwareattackonSanFranciscopublictransportgiveseveryoneafreeride,TheGuardian,November28,2016,

https://www.theguardian.com/technology/2016/nov/28/passengersfreeridesanfranciscomuniransomeware
xivRoundup:RansomwareStatistics2016[Infographic],ArmadaCloud,2016,http://www.armadacloud.com/roundupransomwarestatistics2016/

xvRoundup:RansomwareStatistics2016[Infographic],ArmadaCloud,2016,http://www.armadacloud.com/roundupransomwarestatistics2016/

xviLansingBoardofWater&Light,BoardmeetingAgenda,November15,2016,

https://www.lbwl.com/uploadedFiles/MainSite/Content/About_the_BWL/BWL_Governance/Minutes_and_Agendas/Packets/bwl_Nov2016_mtg_pkt.pdf
xviiDougOlenick,CyberattackknocksLansingutilityoffline,SCMagazine,April28,2016,https://www.scmagazine.com/cyberattackknockslansingutility

offline/article/528577/
xviiiHugewaveofLockyRansomwarespreadviaJavaScriptspam,SonicWallSecurityCenter,February19,2016,

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=901
xixTimothyWeaver,RansomwareasaServiceTakes20%,MajorGeeks,August17,2016,

http://www.majorgeeks.com/news/story/ransomware_as_a_service_takes_20.html
xxAllenScott,ThesearetheWorldsTop10BitcoinFriendlyCountries,Bitcoin.com,March29,2016,https://news.bitcoin.com/worldstop10bitcoinfriendly

countries/
xxiTop10countriesbydirectlyconnectingusers,TorMetrics,https://metrics.torproject.org/userstatsrelaytable.html?start=20160102&end=20161201

xxiiSwatiKhandelwal,Worldslargest1TbpsDDoSAttacklaunchedfrom152,000hackedSmartDevices,TheHackerNews,September27,2016,

http://thehackernews.com/2016/09/ddosattackiot.html
xxiiiNickyWoolf,DDoSattackthatdisruptedinternetwaslargestofitskindinhistory,expertssay,TheGuardian,October26,2016,

https://www.theguardian.com/technology/2016/oct/26/ddosattackdynmiraibotnet
xxivDarrellEtherington,LargeDDoSattackscauseoutagesatTwitter,Spotifyandothersites,TechCrunch,October21,2016,

https://techcrunch.com/2016/10/21/manysitesincludingtwitterandspotifysufferingoutage/
xxvAdrienneLaFrance,HowMuchWillTodaysInternetOutageCost?TheAtlantic,October21,2016,

http://www.theatlantic.com/technology/archive/2016/10/alot/505025/
xxviJohnEDunn,AndroidMarshmallows10mostimportantsecurityfeatures,Techworld,September30,2015,http://www.techworld.com/picture

gallery/security/androidmarshmallows10mostimportantsecurityfeatures3626468/
xxviiAlSacco,GoogledetailssecurityfeaturesinAndroid7.0Nougat,CIO,August16,2016,http://www.cio.com/article/3108382/android/googledetails

securityfeaturesinandroid70nougat.html
xxviiiAndroidBankerstealscreditcardinformationandtargetscertainbankingapps,SonicWallSecurityCenter,March7,2016,

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=906
xxixMaliciousbankertriestobypassAndroidMarshmallowsecuritybarriers,SonicWallSecurityCenter,September16,2016,

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=967
xxxAndroidAdcampaignHummingBadinfectsmillionsofdevices,SonicWallSecurityCenter,July8,2016,

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=944
xxxiMetasploitenhancedAndroidmalwarespottedinthewild,SonicWallSecurityCenter,April15,2016,

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=920
xxxiiNewAndroidLockscreencampaignspottedinthewild,SonicWallSecurityCenter,May12,2016,

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=929
xxxiiiSelfinstallingpornappsrampagetheAndroidecosystem,SonicWallSecurityCenter,June17,2016,

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=940
xxxivDressCodeAndroidmalwareequippedtoinfiltratecorporatenetworks,SonicWallSecurityCenter,October21,2016,

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=978
xxxvFahmidaY.Rashid,Howtotellifyouvebeenhitbyfakeransomware,InfoWorld,April29,2016,

http://www.infoworld.com/article/3062552/security/howtotellifyouvebeenhitbyfakeransomware.html

232017SonicWallAnnualThreatReport