Attacks/Breaches

4/9/2018
03:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ransomware Up for Businesses, Down for Consumers in Q1

Ransomware, spyware, and cryptomining were the biggest enterprise threats during an otherwise quiet quarter for malware, researchers report.

Cybercriminals go where the money is, and these days the money is in cryptomining. Researchers detected a 28% increase in cryptomining malware among enterprise victims in the first quarter of 2018, during which "virtually all other malware was on the decline."

The data comes from Malwarebytes' Cybercrime Tactics and Techniques: Q1 2018 report, which pulls intel and statistics from consumer and business products between January and March 2018. Cryptomining, ransomware, and spyware were the biggest threats to business targets.

Attackers also capitalized on the public disclosure of the Meltdown and Spectre vulnerabilities, which prompted software and hardware vendors to issue patches to mitigate the threat. Cybercriminals are taking advantage of the issue and using it as a scare tactic for social engineering scams.

Scamming extended to cryptominers as well, with criminals creating fake support numbers for Coinbase users. By using poisoned search results, they redirect victims to a scam call center and steal their credentials. It's one of many ways crypto was the most prominent theme of Q1 2018.

Mining for Money

"The biggest thing going on is cryptomining is all over the place," says Adam Kujawa, head of malware intelligence at Malwarebytes. "In December it jumped up. Once the Bitcoin price reached 19,000, around that time we saw our biggest spike in detections of cryptominers of all types."

Cryptomining malware is increasingly lucrative for cybercriminals as digital currencies become more valuable. Malicious cryptomining affects all platforms, devices, operating systems, and browsers, and attackers are maximizing their reach by delivering miners via malspam campaigns, exploits, malicious APKs, and supply chain attacks. Beyond Bitcoin, they're going after alternate currencies including Monero, ByteCoin, and AEON.

"It seems like there's a lot more utilization of the user as a resource for the criminal rather than as a victim," says Kujawa. Instead of stealing data or credentials and trying to extort money, attackers are installing miners so their targets generate currencies for them.

While desktop-based cryptomining attacks are more popular, mobile devices are also targeted. Researchers noticed nearly 40 times more detections of Android miners, which were up 4,000%. On Macs, they saw nearly 1,000 detections of malware-based miners, browser extensions, and cryptomining apps in Q1, and 74% of those detections happened in March.

Malicious cryptomining appears less dangerous than ransomware but should not be underestimated, says Kujawa, pointing out the drain on computing resources. If not managed properly, miners could disrupt business or critical infrastructure operations by overloading systems until they become unresponsive. He anticipates miners will become more advanced.

"If cryptominers continue to be as profitable and interesting for cybercriminals as they have been, we're going to see the development of some very dangerous miners," he predicts, adding "they'll make a lot less noise, in my opinion."

"If you have a stealthy miner, one that hides and only uses a small percentage of processing power, that can hang out for a long time."

Ransomware, Spyware Try to Compete

Spyware, which dipped toward the end of last quarter, increased 56% during Q1 2018. Researchers saw more than 80,000 detections on enterprise endpoints, quadruple the amount seen in November 2017. Researchers attribute the spike to a campaign delivering Emotet spyware. Shortly after the spike, spyware began to drop again toward the end of the first quarter.

Ransomware dropped 35% among consumers but continued to be a problem for businesses, where detections are up but overall attack volume remains low. "It seems like there's been more and more activity pushing ransomware to businesses, where I believe the return on investment is worth it," says Kujawa.

The ROI for hitting consumers with ransomware is comparatively lower. After ransomware made major headlines in 2017, people had greater access to information on how to defend against attacks and back up their data. They aren't quite as likely to pay their attackers for its return; as a result, broad ransomware attacks aren't as lucrative.

"Attacks on businesses, that's where the money really comes from," he says. "Businesses don't have the option to say, 'I can go without those pictures.' They have to protect customer data."

There are fewer opportunities for ransomware distribution as major families are replaced by new threats. Major families Cerber, Locky, and Jaff have vanished, researchers report. Notable campaigns from Q1 include GandCrab, Scarabey, and Hermes. GandCrab, a new ransomware threat, generated more than $600,000 for attackers in January and February.

"Ransomware won't return to its former glory," Kujawa predicts. "But I don't think it's ever going to vanish completely."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17332
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.
CVE-2018-17333
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because sscanf is misused.
CVE-2018-17334
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated.
CVE-2018-17336
PUBLISHED: 2018-09-22
UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n...
CVE-2018-17321
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.