• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

Visualizing 2016's Top Threats

Author avatar of Austin McBrideAustin McBride
Updated — August 3, 2020 • 5 minute read
View blog >

2016 brought us more traffic then ever and with that, we identified and protected our customers from a barrage of new attacks, threats, and actors. Understanding these evolutions are paramount to a strong defense. In this post we will visualize and summarize some of the biggest threats highlighted in the Cisco Annual Cybersecurity Report (ACR).

To create these visualizations, we selected a number of domains that we have tagged as the particular threat, then used the Investigate API  to pivot across co-occurring domains, IP addresses, file hashes, registrant information and other attributes to build a graph of their relationships. Finally we used OpenGraphiti to visualize these graphs and uncover their structure. The end result are the intriguing  visualizations below.

Red nodes are known-blocklisted domains, gray nodes are often benign domains, green nodes are popular known good domains, orange are IP addresses, and blue nodes are file hashes. The pulses indicate DNS traffic between nodes. Nodes with rings around them are the seed domains we initially pivoted on. In some cases we may have chosen to recolor certain nodes in order to provide a more clear visualization, or to emphasize a particular relationship.

Locky

Without a doubt, Locky was one of the noisiest threats of the past year. This commodity ransomware can be built and distributed by any ambitious tech-savvy criminal due to continued Ransomware as a Service (RaaS) offerings. Campaigns involving Locky often used Necurs to aggressively email its broad range of targets with attachments containing droppers or links to download sites. On one day in late 2016, one of our mailboxes saw Locky in one-third of all email it received. Throughout the year, attackers modified the file extension used after a file was encrypted, resulting in a number of mythology-inspired variants. Every week resulted in a new variant, until it reached meme level. The degradation of file extensions started on theme with Zepto, Odin, Thor, Aesir and Osiris but then plummeted quickly with extensions like ZZZZ and S**T.

This visualization has an interesting structure that looks somewhat like a skeleton key if you squint at it the right way. We chose this key imagery to symbolize the use of public/private keys by ransomware like Locky. Once the system is infected, the malware communicates back to an attacker controlled server to retrieve the key it will use to encrypt the data it will ultimately hold for ransom. The cluster of red nodes at the tip of the key shows the tightly interconnected structure of the domains used to host malware and generate keys.

Cerber

On board with the memo about the mythology naming convention, Cerber entered the Ransomware-as-a-Service scene in early 2016 with a splash. It quickly gained adoption and began to be distributed using popular exploit kits after toting offline encryption capabilities, a refusal to infect certain Eastern European/Northern Central Asia countries, and a mature approach to infection and evasion. Later improvements targeting databases indicate its creator’s vision is to target bigger companies who can pay out more – after all, from the criminal’s perspective, many organizations are getting off easy with a $500USD ransom.

Our visualization of Cerber is focused around one registrant – this registrant has 57 registered domains, of which, 46 are associated with Cerber. Visualizing these domains and their connections reveals the actor’s infrastructure and how it’s used to host Cerber and other malware.

Nemucod

Nemucod, a JavaScript downloader, played an important role throughout the year by achieving a foothold for further infection on the target’s system. Its size made it lightweight enough for use as an email attachment and regular obfuscation/encapsulation changes made it often successful in bypassing detection systems. Nemucod jumpstarted the infection by retrieving and executing the primary payload of the actor. This is most commonly ransomware such as Locky, but has also been used with adware and ad-clicking malware like Miuref, Kovter, and Diplugem.

Dridex

Dridex is no stranger to top threat lists since the banking trojan and botnet first popped up in 2012. Infections rose steadily until 2015 when an international law enforcement operation resulted in the arrest of a key figure in its administration. That didn’t stop Dridex though, it continued to infect and enroll users into its botnet throughout 2016. Dridex is most widely known for its ability to inject into various web browsers to steal user credentials and take screenshots of banking websites. Its campaigns were among the first to weaponize Office Document Macros in email attachments for early stage infection.

GozNym/Kryptik

GozNym, also known as Kryptik, has a checkered history. The malware was the result of the merger of an advanced banking trojan whose source code was leaked publicly and a downloader. Like Dridex, GozNym aimed to compromise infected users banking credentials. GozNym leveraged some of the most refined and tailored Macro-enabled Word Documents as the initial downloader. Once the malware was executed, it employed an impressive array of anti-detection and advanced runtime techniques, using return-oriented programming to execute functionality using already loaded modules.

Themes

The themes shared among these threats highlight the procedural trends actors continue to evolve year over year. We saw these trends play out before 2016, and we’ll undoubtedly see them continue through 2017.

Sent As An Email Attachment

Each of these threats are distributed via email as attachments. Locky and Cerber are distributed broadly while Kryptik and Dridex are often targeted. While exploit kits are also used to distribute these threats, email is still a very widely used distribution method.

Downloaders

Attachments mirror Nemucod in that they act as a downloaders to retrieve malware and infect their target. The downloaders are usually written in JavaScript and VBScript, and often enclosed within a Macro enabled Office document or Zip file. They contact a hardcoded address to download the malicious executable containing the payload.

Reliance on External Systems

All of these threats also utilize a communication channel back to another system other than the download location for various purposes. Ransomware needs to fetch its encryption keys while the banking trojans use a command and control channel for issuing remote commands. The banking trojan may also redirect web traffic to imposter banking websites for credential collection.

Targeting Windows

All of these threats target the Windows Operating System. While malware does exist for other operating systems and some malware, like Adwind RAT, is written to be cross platform, Windows still remains the primary target of most malware. This is likely due to its market share, specifically the dependance of business.

2017 and Beyond!

With 2017 underway, we are looking forward to new threats, themes and, of course, visualizations! We would love to hear what you think and the latest threats that you are visualizing.

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella