Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/9/2018
03:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ransomware Up for Businesses, Down for Consumers in Q1

Ransomware, spyware, and cryptomining were the biggest enterprise threats during an otherwise quiet quarter for malware, researchers report.

Cybercriminals go where the money is, and these days the money is in cryptomining. Researchers detected a 28% increase in cryptomining malware among enterprise victims in the first quarter of 2018, during which "virtually all other malware was on the decline."

The data comes from Malwarebytes' Cybercrime Tactics and Techniques: Q1 2018 report, which pulls intel and statistics from consumer and business products between January and March 2018. Cryptomining, ransomware, and spyware were the biggest threats to business targets.

Attackers also capitalized on the public disclosure of the Meltdown and Spectre vulnerabilities, which prompted software and hardware vendors to issue patches to mitigate the threat. Cybercriminals are taking advantage of the issue and using it as a scare tactic for social engineering scams.

Scamming extended to cryptominers as well, with criminals creating fake support numbers for Coinbase users. By using poisoned search results, they redirect victims to a scam call center and steal their credentials. It's one of many ways crypto was the most prominent theme of Q1 2018.

Mining for Money

"The biggest thing going on is cryptomining is all over the place," says Adam Kujawa, head of malware intelligence at Malwarebytes. "In December it jumped up. Once the Bitcoin price reached 19,000, around that time we saw our biggest spike in detections of cryptominers of all types."

Cryptomining malware is increasingly lucrative for cybercriminals as digital currencies become more valuable. Malicious cryptomining affects all platforms, devices, operating systems, and browsers, and attackers are maximizing their reach by delivering miners via malspam campaigns, exploits, malicious APKs, and supply chain attacks. Beyond Bitcoin, they're going after alternate currencies including Monero, ByteCoin, and AEON.

"It seems like there's a lot more utilization of the user as a resource for the criminal rather than as a victim," says Kujawa. Instead of stealing data or credentials and trying to extort money, attackers are installing miners so their targets generate currencies for them.

While desktop-based cryptomining attacks are more popular, mobile devices are also targeted. Researchers noticed nearly 40 times more detections of Android miners, which were up 4,000%. On Macs, they saw nearly 1,000 detections of malware-based miners, browser extensions, and cryptomining apps in Q1, and 74% of those detections happened in March.

Malicious cryptomining appears less dangerous than ransomware but should not be underestimated, says Kujawa, pointing out the drain on computing resources. If not managed properly, miners could disrupt business or critical infrastructure operations by overloading systems until they become unresponsive. He anticipates miners will become more advanced.

"If cryptominers continue to be as profitable and interesting for cybercriminals as they have been, we're going to see the development of some very dangerous miners," he predicts, adding "they'll make a lot less noise, in my opinion."

"If you have a stealthy miner, one that hides and only uses a small percentage of processing power, that can hang out for a long time."

Ransomware, Spyware Try to Compete

Spyware, which dipped toward the end of last quarter, increased 56% during Q1 2018. Researchers saw more than 80,000 detections on enterprise endpoints, quadruple the amount seen in November 2017. Researchers attribute the spike to a campaign delivering Emotet spyware. Shortly after the spike, spyware began to drop again toward the end of the first quarter.

Ransomware dropped 35% among consumers but continued to be a problem for businesses, where detections are up but overall attack volume remains low. "It seems like there's been more and more activity pushing ransomware to businesses, where I believe the return on investment is worth it," says Kujawa.

The ROI for hitting consumers with ransomware is comparatively lower. After ransomware made major headlines in 2017, people had greater access to information on how to defend against attacks and back up their data. They aren't quite as likely to pay their attackers for its return; as a result, broad ransomware attacks aren't as lucrative.

"Attacks on businesses, that's where the money really comes from," he says. "Businesses don't have the option to say, 'I can go without those pictures.' They have to protect customer data."

There are fewer opportunities for ransomware distribution as major families are replaced by new threats. Major families Cerber, Locky, and Jaff have vanished, researchers report. Notable campaigns from Q1 include GandCrab, Scarabey, and Hermes. GandCrab, a new ransomware threat, generated more than $600,000 for attackers in January and February.

"Ransomware won't return to its former glory," Kujawa predicts. "But I don't think it's ever going to vanish completely."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15488
PUBLISHED: 2020-09-30
Re:Desk 2.3 allows insecure file upload.
CVE-2020-15849
PUBLISHED: 2020-09-30
Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for a...
CVE-2020-14375
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Virtio ring descriptors, and the data they describe are in a region of memory accessible by from both the virtual machine and the host. An attacker in a VM can change the contents of the memory after vhost_crypto has validated ...
CVE-2020-14376
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A lack of bounds checking when copying iv_data from the VM guest memory into host memory can lead to a large buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system...
CVE-2020-14377
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results of the over read are then written back to the guest virtual machine memory. This vulnerability can be used by an attack...