What’s Been Happening in the Threat Landscape in the European Union

Recently, I had the opportunity to visit customers in several countries in the European Union (EU). The threat landscape in the EU has been changing rapidly, and in some unpredictable ways. I thought it was time to share some new data and insights based on data from the latest volume of the Microsoft Security Intelligence Report.

I have written about the threat landscape in the EU many times in the past. If you are interested in reading some of these previously published articles, here’s a partial list:

The Latest Picture of the Threat Landscape in the European Union – part 1
The Latest Picture of the Threat Landscape in the European Union – part 2
The Latest Picture of the Threat Landscape in the European Union – part 3
Ransomware is on the Rise, Especially in Europe
The Threat Landscape in the European Union at RSA Conference Europe 2013
European Union check-up: Locations with Lowest Infection Rates in the EU and What We Can Learn From Them
European Union Check-Up: Malicious Websites Hosted in the EU
European Union check-up: Romania still tops the list of most infected in the EU
Cyber-Threats in the European Union: First Half 2012
Cyber-Threats in the European Union
The Threat Landscape Shifts Significantly in the European Union – Part 1
The Threat Landscape Shifts Significantly in the European Union – Part 2
The Threat Landscape Shifts Significantly in the European Union – Part 3

Let’s start by looking at the locations in the EU with the lowest and highest malware encounter rates (ER). ER is the percentage of computers running Microsoft real-time security software that report detecting malware or unwanted software during a given period of time. The worldwide average ER in the fourth quarter of 2015 was 20.8%. As Figure 1 illustrates, the “usual suspects” have the lowest ERs in the EU including Finland (8.6%), Sweden (11.4%), and Denmark (11.7%).

Figure 1: Locations in the EU with the lowest encounter rates in the fourth quarter of 2015 (4Q15)
061416_01

Figure 2 shows us that the locations with the highest ERs in the EU include Romania (31.3%), Bulgaria (29.8%), and Croatia (27.5%). As high as the ERs for these locations were in the fourth quarter of 2015, they were significantly lower than the countries/regions with the highest ERs in the world during the same period. These locations include Pakistan (63.0%), Indonesia (60.6%), the Palestinian Territories (57.3%), and Bangladesh (57.2%).

Figure 2: Locations in the EU with the highest encounter rates in the fourth quarter of 2015 (4Q15)
061416_02

You might have noticed the upward ER trend in figures 1 and 2. This is upward trend even more pronounced when looking at the malware infection rates in the region as seen in figures 3 and 4; these are systems that encountered malware and were successfully infected, a measure called computers cleaned per mille (CCM). The worldwide average infection rate in the fourth quarter of 2015 was 16.9 systems infected with malware for every 1,000 scanned by the Malicious Software Removal Tool (MSRT) or 1.69% of the 600 to 700 million systems the MSRT executes on each month. The worldwide infection rate almost tripled from the same period a year earlier. The average infection rate for the 28 countries/regions in the EU during the same period was a CCM of 21.1 or 2.1%. This is a CCM increase of 15.5 from a year earlier.

Figure 3: Locations in the EU with the lowest malware infection rates (CCM) in the fourth quarter of 2015 (4Q15)
061416_03

Even locations with consistently low malware infection rates saw large increases between the third and fourth quarters of 2015. As seen in Figure 3, Finland’s CCM, for example, nearly quadrupled in the fourth quarter. Figure 4 illustrates the locations with the highest infection rates in the EU, which include Romania (36.4), Croatia (35.2), Spain (34.0), while the worldwide average was 16.9. For context, the locations with the highest CCMs in the world during the same period include Mongolia (93.3), Libya (85.3), the Palestinian Territories (80.0).

Figure 4: Locations in the EU with the highest malware infection rates (CCM) in the fourth quarter of 2015 (4Q15)
061416_04

You are probably wondering what caused such a rapid increase in infection rates in the EU and worldwide? It would be easy to believe that the threat landscape just got a whole lot worse, but that’s not really the case. Every month, the Microsoft Malware Protection Center typically adds detection capabilities to the MSRT for one or more new families of malware that researchers believe are globally prevalent. Then the MSRT executes on 600 to 700 million systems worldwide. If researchers were correct about the families they added to the MSRT, the MSRT will clean the newly added threats from systems infected with those threats around the world.

Sometimes, like in the fourth quarter of 2015, one of the threats they added detection for was really prevalent and gets cleaned from lots of systems. The worldwide infection rate increased 175.9 percent in the final quarter of 2015, from a CCM of 6.1 in the third quarter to 16.9 in fourth quarter. Almost all of this increase was due to Win32/Diplugem, a browser modifier that shows extra advertisements as the user browses the web. The CCM for Diplugem alone in 4Q15 was 11.7, nine times as high as the CCM for the next most prevalent family, Win32/Gamarue.

As seen in Figure 5, detection for Win32/Diplugem, was added to the MSRT in the fourth quarter and was removed from more computers in the EU in 4Q15 than any other family by a significant margin. In the EU, Win32/Diplugem was removed from 15.4 computers for every 1,000 computers the MSRT executed on in the fourth quarter, or 1.54% of systems.

Figure 5: The top 10 families of threats cleaned by the MSRT in the EU during the fourth quarter of 2015
061416_05

One other threat family I will call your attention to is Win32/CompromisedCert. This is the third threat family listed in the top threats cleaned in the EU, in Figure 5. This is a detection for the Superfish VisualDiscovery advertising program that was preinstalled on some Lenovo laptops sold in 2014 and 2015. It installs a compromised trusted root certificate on the computer, which can be used to conduct man-in-the-middle attacks on the computer. This threat was cleaned consistently on systems in the EU throughout 2015. I was surprised to see Win32/CompromisedCert on the top 4 list of threats cleaned in locations like the UK, Germany and the Netherlands.

Almost everyone I talked to during my recent trip to some locations in the EU, was concerned about Ransomware. I wrote an article on Ransomware recently that provides some good context on this type of threat: Ransomware: Understanding the Risk. The data for the last half of 2015 suggests there was a slight increase in the ER for ransomware (0.26 percent in 3Q15, 0.40 percent in 4Q15), but it’s still a fraction of 1 percent and much lower than almost every other category of malware.

In the EU, 18 of the 28 countries had Ransomware encounter rates above the worldwide average as Figure 6 illustrates. Systems in Portugal and Italy encountered Ransomware more than any other locations in the EU. This isn’t surprising – I wrote that Ransomware was on the rise, especially in Europe, years ago. The good news is that Ransomware is one of the least encountered threats in the EU as Figure 7 illustrates.

Figure 6: Ransomware Encounter Rates in the EU during the fourth quarter of 2015
061416_06

Figure 7 illustrates shows us which locations in the EU have the highest and lowest encounter rates across different threat categories. The numbers in red are the highest ERs for that threat category while the numbers in pink are above the worldwide average. The numbers that aren’t shaded are the lowest ERs for that threat category and are below the worldwide average. With this data, I find it especially noteworthy that every location in the EU, with the exception of Finland, had encounter rates for Exploits above the worldwide average, in many cases two or three times higher. A contributing factor is that the Angler exploit kit (JS/Axpergle) was one of the most encountered threats in the EU in 2015, being encountered by more than 1% of systems in the fourth quarter of 2015.

Figure 7: Encounter Rates for Threat Categories in the EU during the fourth quarter of 2015
061416_07

From drive-by download URL data provided by Bing, Slovakia and Cyprus hosted the highest number of drive-by download pages per 1,000 URLs in the EU, as seen in Figure 8.

Figure 8: Drive-by download pages indexed by Bing at the end of the fourth quarter of 2015, per 1,000 URLs in each country/region
061416_08

Guidance to Protect Your Organization

Based on the specific threats we see in the EU, let me give you some guidance to help protect your organization.

  • Security Updates: given most locations in the EU have above average Exploit encounter rates and that the Angler exploit kit (JS/Axpergle) is a top threat encountered in the region, its critical for organizations to keep all software up to date with the latest security updates. This isn’t just your Microsoft software, it includes software from Adobe, Oracle, and every other vendor your organization procures software from. If you have vendors that don’t provide you with security updates, your organization isn’t getting its money’s worth. Data from the new Security Intelligence Report on industry vulnerability disclosures, shows us that there were 6,384 vulnerabilities disclosed across the industry in 2015 alone, which is a typical year. Organizations need to patch all of those vulnerabilities in their environment to protect themselves from the high level of exploit activity in the EU. Demand security updates from all of your vendors.
  • Up-to-date Anti-Malware Software: don’t let security experts convince you that anti-virus software is a waste of time. No software or hardware can protect your organization from all current and future threats. But running up-to-date anti-malware software from a trusted vendor will protect your organization from millions of current and future threats. We know from many studies over the years, using data from hundreds of millions of systems around the world, systems that run current anti-malware solutions have significantly lower malware infection rates than those that don’t (as seen in Figure 9).Figure 9: Infection rates for protected and unprotected computers in 2015
    061416_09
  • Ransomware: if you are trying to evaluate the risk to your organization that Ransomware poses, keep calm and stay vigilant; this is a low probability, high impact threat where there are numerous mitigations available. The best mitigation is maintaining current offline backups for critical data. Check out these two articles: Ransomware: Understanding the Risk, How to Deal with Ransomware.
  • Malicious Websites: one of the best ways organizations can protect their users from malicious and compromised websites is by mandating the use of web browsers with appropriate protection features built in and by promoting safe browsing practices. For in-depth guidance, see this article.
  • Modern Operating Systems and Browsers: the latest data clearly shows us that using a modern operating system, like Windows 10, and a modern browser, like Microsoft Edge, provides significant protection against the type of modern day threats I discussed in this article. If you haven’t done so yet, evaluate these newer products versus the older products your organization might be using. On older operating systems, like Windows 7, use the Enhanced Mitigation Experience Toolkit (EMET), if possible, to minimize exploitation of vulnerabilities in the software in your environment. See technet.microsoft.com/security/jj653751 for more information.
  • Regional Security Experts’ Advice: there are six things that security experts in the consistently least infected countries/regions in the world (like Finland) tell us helps them. Here’s the list:
    • Strong public – private partnerships that enable proactive and response capabilities
    • CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
    • An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
    • Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
    • Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
    • Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low

This was a long article, but I hope it was worth the time you spent reading it. You can get more details on every country/region in the EU and almost a hundred more locations, by visiting http://microsoft.com/sir and clicking on Regional Threat Assessment.

Tim Rains
Director, Security

About the Author
Tim Rains

Director, Security

Tim Rains is Director, Security at Microsoft where he helps manage marketing communications for Microsoft Cloud & Enterprise security, identity, and enterprise mobility products and services. Formerly, Tim was Chief Security Advisor of Microsoft’s Enterprise Cybersecurity Group where he helped Read more »