Perimeter

12/21/2017
12:00 PM
50%
50%

Fileless Malware Attacks Hit Milestone in 2017

Non-malware attacks account for the majority of all attacks this year, and ransomware grows to a $5 billion industry, new data shows.

Fileless malware attacks using PowerShell or Windows Management Instrumentation (WMI) tools accounted for 52% of all attacks this year, beating out malware-based attacks for the first time, according to Carbon Black's 2017 Threat Report.

"Attackers will use whatever is the cheapest and most effective method," says Rick McElroy, security strategist for Carbon Black, explaining the shift to fileless malware from malware-based attacks.

Fileless malware attacks, also known as non-malware attacks, allow cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users' systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications.

Fileless attacks have been around since 2014, and surged last year as attackers became enamored with in-memory attacks and sought to perfect their malicious craft. That trend continued this year, with a 6.8% growth in monthly fileless attacks targeting Carbon Black's protected endpoints.

All types of attacks – both malware-based and fileless - grew 13% per month overall this year, according to the report.

Kryptik, Strictor, Nemucod, Emotet, and Skeeyah were the five top malware families this year, according to the report. And the top three industries hit this year by malware authors included finance, healthcare, and retail.

Ransomware 

Ransomware soared to a $5 billion industry this year, Cybersecurity Ventures reports. And that is up from $850 million in the previous year, according to Carbon Black's report.

"Both the volume of attacks and amount per attack were up," McElroy says. "But it was also the crazy value of Bitcoin that increased it to $5 billion."

Cybercriminals often demand ransom payments in Bitcoin, which has seen a sharp rise in value this year. According to CoinDesk, a single Bitcoin now carries a value of approximately $16,000, compared to January when it was $1,000 per coin.

Ransomware authors targeted the technology industry, followed by the government and non-profit sector, and legal industry, according to the report. The top five ransomware families in 2017 included Spora, Cryptxxx/Exxroute, Locky, Cerber, and Genasom.

In the future, Carbon Black expects the trend toward targeted ransomware attacks to increase. That feeling is shared by a growing number of research firms. Earlier this year, a handful of targeted attacks emerged that focused on specific industries, geographies, or company size, as cybercriminals seek a better return on investment, security experts says.

Cybercriminals are expanding beyond ransomware "spray and pray" attacks delivered by spam. Patrick Wheeler, director of threat intelligence for Proofpoint, says spray and pray campaigns were designed to infect as many machines as possible with the expectation that a certain percentage of the victims would pay the ransom.

Anton Ivanov, lead malware analyst with Kaspersky Lab, says ransomware will mostly involve targeted campaigns in the future because attackers know they can get more money with this method.

Financial organizations, higher-education institutions, and healthcare, manufacturing, and technology companies, are some of the industries that have been hit this year with targeted ransomware campaigns.

Carbon Black's McElroy says ransomware authors are also expected to increasingly focus on Linux systems, because that is the operating system used by a large percentage of enterprises. In addition, ransomware authors will also be able to increase their mobile reach, McElroy adds.

The Android operating system found in a large percentage of smartphones and tablets across the globe uses a flavor of Linux, McElroy notes.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
alphaa10
50%
50%
alphaa10,
User Rank: Strategist
1/23/2018 | 4:46:58 AM
Windows Broken
If we held a contest to see which lemming would be first to leap from a cliff, we can rest assured all would leap at the opportunity. If Windows users find the analogy distasteful, they did not read the memo, years ago, from a Microsoft executive who said, "Windows is just not designed for security."

Of course, it is easy to understand, none thinks his own Windows installation will be hit, and most act as though they simply do not care-- at least, until they do meet disaster.

But how remarkable that after at least 20 years of security crises of major and growing proportions with Windows, high-profile, relatively high-value Windows installations continue as a preferred target for any attacker.

 
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14633
PUBLISHED: 2018-09-25
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The at...
CVE-2018-14647
PUBLISHED: 2018-09-25
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming larg...
CVE-2018-10502
PUBLISHED: 2018-09-24
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 4.2.18.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exist...
CVE-2018-11614
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists wit...
CVE-2018-14318
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S8 G950FXXU1AQL5. User interaction is required to exploit this vulnerability in that the target must have their cellular radios enabled. The specific flaw exists within the handling of ...