Attacks/Breaches

4/9/2018
03:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ransomware Up for Businesses, Down for Consumers in Q1

Ransomware, spyware, and cryptomining were the biggest enterprise threats during an otherwise quiet quarter for malware, researchers report.

Cybercriminals go where the money is, and these days the money is in cryptomining. Researchers detected a 28% increase in cryptomining malware among enterprise victims in the first quarter of 2018, during which "virtually all other malware was on the decline."

The data comes from Malwarebytes' Cybercrime Tactics and Techniques: Q1 2018 report, which pulls intel and statistics from consumer and business products between January and March 2018. Cryptomining, ransomware, and spyware were the biggest threats to business targets.

Attackers also capitalized on the public disclosure of the Meltdown and Spectre vulnerabilities, which prompted software and hardware vendors to issue patches to mitigate the threat. Cybercriminals are taking advantage of the issue and using it as a scare tactic for social engineering scams.

Scamming extended to cryptominers as well, with criminals creating fake support numbers for Coinbase users. By using poisoned search results, they redirect victims to a scam call center and steal their credentials. It's one of many ways crypto was the most prominent theme of Q1 2018.

Mining for Money

"The biggest thing going on is cryptomining is all over the place," says Adam Kujawa, head of malware intelligence at Malwarebytes. "In December it jumped up. Once the Bitcoin price reached 19,000, around that time we saw our biggest spike in detections of cryptominers of all types."

Cryptomining malware is increasingly lucrative for cybercriminals as digital currencies become more valuable. Malicious cryptomining affects all platforms, devices, operating systems, and browsers, and attackers are maximizing their reach by delivering miners via malspam campaigns, exploits, malicious APKs, and supply chain attacks. Beyond Bitcoin, they're going after alternate currencies including Monero, ByteCoin, and AEON.

"It seems like there's a lot more utilization of the user as a resource for the criminal rather than as a victim," says Kujawa. Instead of stealing data or credentials and trying to extort money, attackers are installing miners so their targets generate currencies for them.

While desktop-based cryptomining attacks are more popular, mobile devices are also targeted. Researchers noticed nearly 40 times more detections of Android miners, which were up 4,000%. On Macs, they saw nearly 1,000 detections of malware-based miners, browser extensions, and cryptomining apps in Q1, and 74% of those detections happened in March.

Malicious cryptomining appears less dangerous than ransomware but should not be underestimated, says Kujawa, pointing out the drain on computing resources. If not managed properly, miners could disrupt business or critical infrastructure operations by overloading systems until they become unresponsive. He anticipates miners will become more advanced.

"If cryptominers continue to be as profitable and interesting for cybercriminals as they have been, we're going to see the development of some very dangerous miners," he predicts, adding "they'll make a lot less noise, in my opinion."

"If you have a stealthy miner, one that hides and only uses a small percentage of processing power, that can hang out for a long time."

Ransomware, Spyware Try to Compete

Spyware, which dipped toward the end of last quarter, increased 56% during Q1 2018. Researchers saw more than 80,000 detections on enterprise endpoints, quadruple the amount seen in November 2017. Researchers attribute the spike to a campaign delivering Emotet spyware. Shortly after the spike, spyware began to drop again toward the end of the first quarter.

Ransomware dropped 35% among consumers but continued to be a problem for businesses, where detections are up but overall attack volume remains low. "It seems like there's been more and more activity pushing ransomware to businesses, where I believe the return on investment is worth it," says Kujawa.

The ROI for hitting consumers with ransomware is comparatively lower. After ransomware made major headlines in 2017, people had greater access to information on how to defend against attacks and back up their data. They aren't quite as likely to pay their attackers for its return; as a result, broad ransomware attacks aren't as lucrative.

"Attacks on businesses, that's where the money really comes from," he says. "Businesses don't have the option to say, 'I can go without those pictures.' They have to protect customer data."

There are fewer opportunities for ransomware distribution as major families are replaced by new threats. Major families Cerber, Locky, and Jaff have vanished, researchers report. Notable campaigns from Q1 include GandCrab, Scarabey, and Hermes. GandCrab, a new ransomware threat, generated more than $600,000 for attackers in January and February.

"Ransomware won't return to its former glory," Kujawa predicts. "But I don't think it's ever going to vanish completely."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19349
PUBLISHED: 2018-11-17
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
CVE-2018-19350
PUBLISHED: 2018-11-17
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
CVE-2018-19341
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader...
CVE-2018-19342
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation starting at U3DBrowser+0x00000000...
CVE-2018-19343
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read), obtain sensitive information, or possibly have unspecified other impact via a U3D sample because of a "Data from Faul...