When it comes to active malware infection, as many as 18.5 percent of a company's computers are actively communicating with criminals, according to Damballa's "State of Infections" report.
No firm is exempt, as this occurs across both large and small enterprises, the study found. Company policies, more than company size, determine the "cleanliness" of any given network.
"We recommend that security teams work under the assumption that prevention is not fail proof, so the ability to automatically detect and accelerate the time to response is essential to minimizing risk," says Brian Foster, CTO of Damballa, a firm that detects active threats and provides cyber protection and containment.
Damballa reports that the past 18 months have experienced a rise in Kovter ransomware infections, so-called because they lock the victim out of his or her computer until the victim agrees to pay a fee, which can be as high as $1,000. At its height, these infections reached 43,713 devices in a single day. Month over month, average daily infections increased 153 percent in May and 52 percent in June.
However, there is some good news: Ransomware was dealt a crippling blow after the Department of Justice initiated Operation Tovar, which aimed to dismantle the GameOver Zeus botnet and its destructive payload CryptoLocker. The DOJ estimates that CryptoLocker compromised more than 260,000 computers worldwide, about half of which occured in the U.S. More than $30 million in ransom was collected between September and December 2013, the FBI reports.
“When it comes to mass infections, we can apply best practices from Operation Tovar as a blueprint for managing global cyber public health," Foster says. "It underscores the need for continued, coordinated efforts across the security community."
These best practices for a malware takedown include:
- Global partnerships between public and private entities;
- Criminal and civil legal processes designed to stop communications between infected computers;
- Cooperation from domain registrars who agreed to block or sinkhole the DGA elements of the infections; and
- Mass notification of victims and easy access to malware removal kits.