04:00 PM
Connect Directly

Ransomware, Mac Malware Dominate Q1 Threat Landscape

Cerber, somewhat unexpectedly, emerged as the biggest ransomware threat, Malwarebytes found.

An analysis of the threat landscape in the first quarter of 2017 suggests that ransomware will continue to pose major problems for enterprises and individual users through the rest of the year.

Organizations can also expect to see increased malware development activity targeting Apple Mac and Android systems and evolving methods for distributing malware via exploit kits, social engineering methods and spam email, Malwarebytes said in a report this week.

"It’s important to realize that threats are constantly evolving, faster than we have ever seen before," says Adam Kujawa, director of malware intelligence at Malwarebytes. "This is mainly due to the increased resources available to the cybercrime community, which means more people, more money, more talent."

Cerber somewhat unexpectedly emerged as the most widely distributed ransomware sample in the first quarter of this year, displacing Locky from the top spot. Malwarebytes’ inspection of ransomware distribution trends last quarter showed Cerber growing its presence from 70% to 90% of overall share, while Locky vanished almost completely with a less than 2% share.

It’s unclear why Locky petered out so quickly, considering many had assumed it would dominate the ransomware scene this year. But it is likely that the authors of the malware either found a more profitable route or got entangled with law enforcement, Kujawa says.

Cerber, with its military-grade encryption capabilities and hosted distribution model, poses a potent threat to organizations and individuals. The authors of the malware have made it relatively easy for criminals with little technical capabilities to acquire and distribute it via hosted ransomware-as-a-service operations. Recent innovations, like a feature capable of evading antivirus tools that employ machine learning and one capable of detecting when the malware is executing in a sandbox, have made it harder to detect as well, Malwarebytes warned.

Mac Attack

The last quarter also saw a surge in Mac malware activity. New samples in the first three months of the year nearly equaled the number of Mac malware samples in all of 2016. A majority of them were backdoors with varying capabilities, levels of sophistication, and delivery mechanisms.

Many were designed to run arbitrary commands, to download malware, hijack the webcam and to siphon data from infected systems. The last quarter also witnessed a surge in the number of potentially unwanted programs in the Apple Mac App Store.

Based on the activity last quarter, Mac users can expect to see a big spike in malware and potentially unwanted applications directed at the platform this year, Malwarebytes said in its report.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

On the Android front, two malware families in particular posed big problems for users. One was Trojan.HiddenAds.lck an ad-serving app that actively prevented user attempts to uninstall it. The other was Jisut, an Android ransomware sample that grew its presence dramatically last quarter with tens of thousands of new samples introduced into the wild.

Malware activity in the last quarter also shows that threat actors are continuing to evolve their distribution methods, Kujawa says. "The bad guys are investing heavily on e-mail based attacks, which means phishing attacks that lead users to sites to trick them into download malware," he says. Many are utilizing scripts and password-protected archive files to download and install malware or Microsoft Office documents either using a macro script embedded in the document, or some new exploit, he says.

"We did predict earlier this year that new evolutions would be made to the e-mail attack methodology and we were right about that," Kujawa says. "The data shows a continued use of this tactic and the continued dominance of ransomware as the primary malware type being pushed by cyber criminals."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/23/2017 | 3:31:27 AM
Re: So great!
Hi Guys,

              Well My Friends.......... The Ballmer initiative is likely to do some good by highlighting a few possible action areas in role government. But we don't hold hope that it will bring about major changes. We suspect USAFacts may end up pacing a step or two behind the government's ability to create data in new places. We Even if USAFacts can identify the most current data that government generates, In the odds are that it will fall victim to what nags the existing federal Open Data policy. We have Two departments with overlapping or interdependent functions will continue to use.

User Rank: Apprentice
4/20/2017 | 8:21:24 AM
Re: So great!
Thin, I knew there were Mac viruses. But I thought it was really very little. That worries me a little.
User Rank: Moderator
4/19/2017 | 10:34:13 AM
Re: Mac malware removal
Where are those people who claimed that there is no viruses for Mac? I guess the only reason they had "no viruses" was that Windows were rather more popular than Mac OS X through the decades. No users = no interest for cybercrooks to create Mac viruses. Now we've got raisining for Mac OS, so here is your portion of malware.
User Rank: Apprentice
4/15/2017 | 3:02:16 AM
So great!
I enjoyed over read your blog post. Your blog have nice information, I got good ideas from this amazing blog. I am always searching like this type blog post. I hope I will see again.

Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.