Attacks/Breaches

4/9/2018
03:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ransomware Up for Businesses, Down for Consumers in Q1

Ransomware, spyware, and cryptomining were the biggest enterprise threats during an otherwise quiet quarter for malware, researchers report.

Cybercriminals go where the money is, and these days the money is in cryptomining. Researchers detected a 28% increase in cryptomining malware among enterprise victims in the first quarter of 2018, during which "virtually all other malware was on the decline."

The data comes from Malwarebytes' Cybercrime Tactics and Techniques: Q1 2018 report, which pulls intel and statistics from consumer and business products between January and March 2018. Cryptomining, ransomware, and spyware were the biggest threats to business targets.

Attackers also capitalized on the public disclosure of the Meltdown and Spectre vulnerabilities, which prompted software and hardware vendors to issue patches to mitigate the threat. Cybercriminals are taking advantage of the issue and using it as a scare tactic for social engineering scams.

Scamming extended to cryptominers as well, with criminals creating fake support numbers for Coinbase users. By using poisoned search results, they redirect victims to a scam call center and steal their credentials. It's one of many ways crypto was the most prominent theme of Q1 2018.

Mining for Money

"The biggest thing going on is cryptomining is all over the place," says Adam Kujawa, head of malware intelligence at Malwarebytes. "In December it jumped up. Once the Bitcoin price reached 19,000, around that time we saw our biggest spike in detections of cryptominers of all types."

Cryptomining malware is increasingly lucrative for cybercriminals as digital currencies become more valuable. Malicious cryptomining affects all platforms, devices, operating systems, and browsers, and attackers are maximizing their reach by delivering miners via malspam campaigns, exploits, malicious APKs, and supply chain attacks. Beyond Bitcoin, they're going after alternate currencies including Monero, ByteCoin, and AEON.

"It seems like there's a lot more utilization of the user as a resource for the criminal rather than as a victim," says Kujawa. Instead of stealing data or credentials and trying to extort money, attackers are installing miners so their targets generate currencies for them.

While desktop-based cryptomining attacks are more popular, mobile devices are also targeted. Researchers noticed nearly 40 times more detections of Android miners, which were up 4,000%. On Macs, they saw nearly 1,000 detections of malware-based miners, browser extensions, and cryptomining apps in Q1, and 74% of those detections happened in March.

Malicious cryptomining appears less dangerous than ransomware but should not be underestimated, says Kujawa, pointing out the drain on computing resources. If not managed properly, miners could disrupt business or critical infrastructure operations by overloading systems until they become unresponsive. He anticipates miners will become more advanced.

"If cryptominers continue to be as profitable and interesting for cybercriminals as they have been, we're going to see the development of some very dangerous miners," he predicts, adding "they'll make a lot less noise, in my opinion."

"If you have a stealthy miner, one that hides and only uses a small percentage of processing power, that can hang out for a long time."

Ransomware, Spyware Try to Compete

Spyware, which dipped toward the end of last quarter, increased 56% during Q1 2018. Researchers saw more than 80,000 detections on enterprise endpoints, quadruple the amount seen in November 2017. Researchers attribute the spike to a campaign delivering Emotet spyware. Shortly after the spike, spyware began to drop again toward the end of the first quarter.

Ransomware dropped 35% among consumers but continued to be a problem for businesses, where detections are up but overall attack volume remains low. "It seems like there's been more and more activity pushing ransomware to businesses, where I believe the return on investment is worth it," says Kujawa.

The ROI for hitting consumers with ransomware is comparatively lower. After ransomware made major headlines in 2017, people had greater access to information on how to defend against attacks and back up their data. They aren't quite as likely to pay their attackers for its return; as a result, broad ransomware attacks aren't as lucrative.

"Attacks on businesses, that's where the money really comes from," he says. "Businesses don't have the option to say, 'I can go without those pictures.' They have to protect customer data."

There are fewer opportunities for ransomware distribution as major families are replaced by new threats. Major families Cerber, Locky, and Jaff have vanished, researchers report. Notable campaigns from Q1 include GandCrab, Scarabey, and Hermes. GandCrab, a new ransomware threat, generated more than $600,000 for attackers in January and February.

"Ransomware won't return to its former glory," Kujawa predicts. "But I don't think it's ever going to vanish completely."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Oh, No, Not Another Security Product
Paul Stokes, Founder & CEO of Prevalent AI,  8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-13106
PUBLISHED: 2018-08-15
Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13107
PUBLISHED: 2018-08-15
Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13108
PUBLISHED: 2018-08-15
DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13100
PUBLISHED: 2018-08-15
DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13101
PUBLISHED: 2018-08-15
Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.