On Friday, October 21, 2016, there was a major distributed denial of service (DDoS) attack that took down major U.S. company websites, including Twitter, Paypal, The New York Times, Box, Netflix and more. The attack targeted managed DNS provider Dyn Inc., which hosts the authoritative DNS for these popular domains. The attack originated from a large number of compromised IoT devices, including internet-connected cameras, routers and digital video recorders.
Data scientists put in a tireless amount of work tracking cybercriminals—from specific individuals to entire organizations—looking at their behavior and the methods through which they attempt to compromise data. Because DNS is a ubiquitous protocol that’s used for most internet interactions, it also provides fertile ground for cybercriminals to launch malware. Nominum Data Science examines massive volumes of DNS data—100 billion queries daily—to detect anomalies and uncover the patterns of malicious code authors before other security experts.
This story has been told thousands of times before – a botnet is born, a botnet goes down, a botnet tries to get its bots back together. But the story of Necurs is unique.
Locky is a new cyberthreat that has received a lot of attention in security circles over the last few months because it has been unusually successful. Locky is advanced ransomware that encrypts a person’s files and holds them for ransom. It uses a number of different technologies to avoid being detected or blocked and takes great care to hide its path back to the attackers. The code is obfuscated to avoid detection by antivirus and malware software. The blackmailers communicate through TOR and only accept Bitcoin as payment, making it nearly impossible to discover who they are.