Infoblox reports huge rise in domains hosting ransomware
Infoblox reports huge rise in domains hosting ransomware
Rod Rasmussen, VP of Cybersecurity, Infoblox
Rod Rasmussen, VP of Cybersecurity, Infoblox

Infoblox has announced there has been a 35-fold increase in the number of domains being used to distribute and control ransomware in just the first three months of 2016. This surge in registrations coincides with all the major security companies reporting an increase in attacks, the availability of Ransomware-as-a-Service on the Dark Net and as some ransomware operators shutting their doors.

According to Rod Rasmussen, vice president of cybersecurity at Infoblox: “There has been a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, small-dollar heists targeting consumers to industrial-scale, big-money attacks on all sizes and manner of organisations, including major enterprises. The threat index shows cybercriminals rushing to take advantage of this opportunity.”

Europe on the rise as a centre for malicious domains

The information is included in the Q1 2016 Infoblox DNS Threat Index report which can be downloaded here. Apart from the number of domains being registered, the biggest surprise from this report is the rise of European countries as the hosts for these malicious domains. It will be interesting to see how the various Net regulators in these countries and at an EU level respond.

The US has dropped from 72% of the malicious domains to a mere 41% but still leads the market. Germany also saw a significant drop from 20% to under 2%. This is partly in response to actions by law enforcement and partly due to the rise of other countries. The five areas with the biggest increase are:

  • Portugal—17 percent
  • Russian Federation—12 percent
  • Netherlands—10 percent
  • United Kingdom—8 percent
  • Iceland—6 percent

Many of the domains will be using hosting services which means that the IP addresses that they use are shared with other people and businesses. This has the unintended consequences of placing legitimate and innocent businesses on Internet blacklists which are used by companies to screen out malware and spam. The result could be that a company struggles to talk to its customers until it can convince the IT security teams that they are legitimate and not part of the problem.

A new battle to dominate the exploit kit market

Over the last couple of years the Angler exploit kit has dominated the market. What is interesting about this report is that Infoblox believes Angler is losing its position. Market share in Q1 2016 dropped from 56% to just 33% as new kits came on board and cyber criminals looked for other options.

Those other options appear at the moment to be a resurgence of two older exploit kits; RIG and Neutrino. Both have seen significant growth in this quarter although coming from a low base, they have yet to overtake Angler. Part of that growth for these older kits includes a significant set of upgrades with new exploits now included.

Another reason for growth is effective propagation. Neutrino is called out for the way its controllers have improved its ability to spread across the Internet. It has a range of new techniques including the ability to poison Google search results using SEO and is linked to a number of large spam attacks.

Surprisingly the report does not mention the emergence of any new exploit kits. This is not a surprise as the time required to develop a new exploit kit, seed it into the market and then grow its user base takes time. With the rise in state sponsored cyber warfare it is likely that we will see new exploit kits that are currently being used for targeted attacks.


There is no question that threats are rising faster than companies can block them. Once again we see a significant increase in the ransomware market although this is more about infrastructure than new attacks. With the widespread adoption of ever more powerful encryption by cyber criminals the advice from law enforcement agencies is to pay up.

Payment is generally in bitcoin rather than other crypto currencies. In the last year we have seen the US and now the Australian governments selling their stashes of confiscated bitcoins. How long, therefore, before we see companies hold bitcoins along with the other currencies they buy to manage their foreign trading?

It may even be that we see insurance companies who sell cyber insurance build up their stocks of these coins in order to help customers pay off ransomware attacks. Irrespective of how companies get their hands on bitcoins it would appear that investing now in order to be able to pay off attackers is just good business. Alternatively companies could just implement sensible data protection and backup policies but we’ve been saying that for over 30 years.


Please enter your comment!
Please enter your name here