AnubisNetworks newest case study highlights the challenge of a financial institution which has realized the limitations of having only internal events monitoring on top of the security systems, on the perimeter and endpoints. Thereby, our client needed to have high-quality and actionable information that could be immediately correlated with the internal events the SOC was already collecting.
From time to time we have the opportunity to sinkhole domains that have an high volume of traffic and are part of a mobile device botnet. In the beginning of July we registered a domain that we found to be part of the AndroidBauts family with over 550,000 devices for a 24h period, affecting mostly India and Indonesia from a total of 216 countries. The piece of software that triggers this traffic was present in four (already removed) Google Play Store applications.
Not long ago we put together an overview of the top families, trends and innovations, and we showed how ransomware has evolved until it become one of the main threats affecting users and organizations. However, not everything is perfect for the ransomware authors, and this time we will focus on what is going wrong and how sometimes ransomware authors fail when trying to profit from victims.
As you may recall, Ramnit was target by a law enforcement takedown back in February 2015 and we at AnubisNetworks supported it. We kept our vigilance after that operation and since then the average number of infections in a 24 hours period was around 300,000. This big number of residual infections after a takedown is normal for big botnets like those created with Ramnit - if no one cleans an infected computer, it will remain infected even if the botnet command and control is down.