Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/9/2018
03:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ransomware Up for Businesses, Down for Consumers in Q1

Ransomware, spyware, and cryptomining were the biggest enterprise threats during an otherwise quiet quarter for malware, researchers report.

Cybercriminals go where the money is, and these days the money is in cryptomining. Researchers detected a 28% increase in cryptomining malware among enterprise victims in the first quarter of 2018, during which "virtually all other malware was on the decline."

The data comes from Malwarebytes' Cybercrime Tactics and Techniques: Q1 2018 report, which pulls intel and statistics from consumer and business products between January and March 2018. Cryptomining, ransomware, and spyware were the biggest threats to business targets.

Attackers also capitalized on the public disclosure of the Meltdown and Spectre vulnerabilities, which prompted software and hardware vendors to issue patches to mitigate the threat. Cybercriminals are taking advantage of the issue and using it as a scare tactic for social engineering scams.

Scamming extended to cryptominers as well, with criminals creating fake support numbers for Coinbase users. By using poisoned search results, they redirect victims to a scam call center and steal their credentials. It's one of many ways crypto was the most prominent theme of Q1 2018.

Mining for Money

"The biggest thing going on is cryptomining is all over the place," says Adam Kujawa, head of malware intelligence at Malwarebytes. "In December it jumped up. Once the Bitcoin price reached 19,000, around that time we saw our biggest spike in detections of cryptominers of all types."

Cryptomining malware is increasingly lucrative for cybercriminals as digital currencies become more valuable. Malicious cryptomining affects all platforms, devices, operating systems, and browsers, and attackers are maximizing their reach by delivering miners via malspam campaigns, exploits, malicious APKs, and supply chain attacks. Beyond Bitcoin, they're going after alternate currencies including Monero, ByteCoin, and AEON.

"It seems like there's a lot more utilization of the user as a resource for the criminal rather than as a victim," says Kujawa. Instead of stealing data or credentials and trying to extort money, attackers are installing miners so their targets generate currencies for them.

While desktop-based cryptomining attacks are more popular, mobile devices are also targeted. Researchers noticed nearly 40 times more detections of Android miners, which were up 4,000%. On Macs, they saw nearly 1,000 detections of malware-based miners, browser extensions, and cryptomining apps in Q1, and 74% of those detections happened in March.

Malicious cryptomining appears less dangerous than ransomware but should not be underestimated, says Kujawa, pointing out the drain on computing resources. If not managed properly, miners could disrupt business or critical infrastructure operations by overloading systems until they become unresponsive. He anticipates miners will become more advanced.

"If cryptominers continue to be as profitable and interesting for cybercriminals as they have been, we're going to see the development of some very dangerous miners," he predicts, adding "they'll make a lot less noise, in my opinion."

"If you have a stealthy miner, one that hides and only uses a small percentage of processing power, that can hang out for a long time."

Ransomware, Spyware Try to Compete

Spyware, which dipped toward the end of last quarter, increased 56% during Q1 2018. Researchers saw more than 80,000 detections on enterprise endpoints, quadruple the amount seen in November 2017. Researchers attribute the spike to a campaign delivering Emotet spyware. Shortly after the spike, spyware began to drop again toward the end of the first quarter.

Ransomware dropped 35% among consumers but continued to be a problem for businesses, where detections are up but overall attack volume remains low. "It seems like there's been more and more activity pushing ransomware to businesses, where I believe the return on investment is worth it," says Kujawa.

The ROI for hitting consumers with ransomware is comparatively lower. After ransomware made major headlines in 2017, people had greater access to information on how to defend against attacks and back up their data. They aren't quite as likely to pay their attackers for its return; as a result, broad ransomware attacks aren't as lucrative.

"Attacks on businesses, that's where the money really comes from," he says. "Businesses don't have the option to say, 'I can go without those pictures.' They have to protect customer data."

There are fewer opportunities for ransomware distribution as major families are replaced by new threats. Major families Cerber, Locky, and Jaff have vanished, researchers report. Notable campaigns from Q1 include GandCrab, Scarabey, and Hermes. GandCrab, a new ransomware threat, generated more than $600,000 for attackers in January and February.

"Ransomware won't return to its former glory," Kujawa predicts. "But I don't think it's ever going to vanish completely."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8144
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
CVE-2020-8145
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
CVE-2020-8146
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...
CVE-2020-6009
PUBLISHED: 2020-04-01
LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection.
CVE-2020-6096
PUBLISHED: 2020-04-01
An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker ...