The majority of TLS utilization by malware is linked to the increased use of legitimate web and cloud services. TLS protection sometimes houses unsuspecting malware components. And it can be a disembarkation point for stolen data. Or even be used to transmit directions to botnets.
The report claims there is an unprecedented increase in TLS in ransomware attacks. And this is especially true in manually deployed ransomware attacks.
“We found that while TLS still makes up an average of just over two percent of the overall traffic Sophos classifies as “malware call-home” over a three-month period, 56 percent of the unique C2 servers (identified by DNS hostnames) that communicated with malware used HTTPS and TLS. And of that, nearly a quarter is with infrastructure residing in Google’s cloud environment.“
Bad Traffic Looks Good
Sean Gallagher of SophosLabs completed a survey, with data gathered internally. The report is entitled “Nearly half of malware now use TLS to conceal communications.”
