Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/29/2019
03:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

McAfee Report Uncovers Ransomware Resurgence

McAfee Labs sees 504 new threats per minute in Q1 2019; data breaches facilitate attacks on large organizations; majority of targeted attacks bet on victims' unwitting compliance.

SANTA CLARA, Calif.--(BUSINESS WIRE)--McAfee, the device-to-cloud cybersecurity company, today released its McAfee Labs Threats Report: August 2019 examining cybercriminal activity and the evolution of cyber threats in Q1 2019. McAfee Labs saw an average of 504 new threats per minute in Q1 and a resurgence of ransomware along with changes in campaign execution and code. More than 2.2 billion stolen account credentials were made available on the cybercriminal underground over the course of the quarter. Sixty-eight percent of targeted attacks utilized spearphishing for initial access, 77% relied upon user actions for campaign execution.

“The impact of these threats is very real,” said Raj Samani, McAfee fellow and chief scientist. “It’s important to recognize that the numbers, highlighting increases or decreases of certain types of attacks, only tell a fraction of the story. Every infection is another business dealing with outages, or a consumer facing major fraud. We must not forget for every cyberattack, there is a human cost.”

Each quarter, McAfee assesses the state of the cyber threat landscape based on in-depth research, investigative analysis, and threat data gathered by the McAfee Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.

Ransomware Resurgence Features Code Innovations and New Campaign Tactics

McAfee Advanced Threat Research (ATR) observed innovations in ransomware campaigns, with shifts in initial access vectors, campaign management and technical innovations in the code.

While spearphishing remained popular, ransomware attacks increasingly targeted exposed remote access points, such as Remote Desktop Protocol (RDP); these credentials can be cracked through a brute-force attack or bought on the cybercriminal underground. RDP credentials can be used to gain admin privileges, granting full rights to distribute and execute malware on corporate networks.

McAfee researchers also observed actors behind ransomware attacks using anonymous email services to manage their campaigns versus the traditional approach of setting up command-and-control (C2) servers. Authorities and private partners often hunt for C2 servers to obtain decryption keys and create evasion tools. Thus, the use of email services is perceived by threat actors to be a more anonymous method of conducting criminal business.

The most active ransomware families of the quarter appeared to be Dharma (also known as Crysis), GandCrab and Ryuk. Other notable ransomware families of the quarter include Anatova, which was exposed by McAfee Advanced Threat Research before it had the opportunity to spread broadly, and Scarab, a persistent and prevalent ransomware family with regularly discovered new variants. Overall, new ransomware samples increased 118%.

“After a periodic decrease in new families and developments at the end of 2018, the first quarter of 2019 was game on again for ransomware, with code innovations and a new, much more targeted approach,” said Christiaan Beek, McAfee lead scientist and senior principal engineer. “Paying ransoms supports cybercriminal businesses and perpetuates attacks. There are other options available to victims of ransomware. Decryption tools and campaign information are available through tools such as the No More Ransom project.”

Q1 2019 Threats Activity

Attack vectors. Malware led disclosed attack vectors, followed by account hijacking and targeted attacks.

Cryptomining. New coin mining malware increased 29%. McAfee ATR observed CookieMiner malware targeting Apple users, attempting to obtain bitcoin wallets credentials. As a byproduct, the malware also gained access to passwords and browsing data. Total coin mining malware samples grew 414% over the past four quarters.

Fileless malware. New JavaScript malware declined 13%, while total malware grew 62% over the past four quarters. New PowerShell malware increased 460% due to the use of downloader scripts. Total malware grew 76% over the past four quarters.

IoT. Cybercriminals continued to leverage lax security in IoT devices. New malware samples increased 10%; total IoT malware grew 154% over the past four quarters.

Malware overall. New malware samples increased by 35%. New Mac OS malware samples declined by 33%.

Mobile malware. New mobile malware samples decreased 15%, total malware grew 29% over the past four quarters.

Security incidents. McAfee Labs counted 412 publicly disclosed security incidents, an increase of 20% from Q4. Thirty-two percent of all publicly disclosed security incidents took place in the Americas, followed by 13% in Europe and 13% in Asia-Pacific.

Regional Targets. Disclosed incidents targeting the Asia-Pacific region increased 126%, Americas declined nearly 3% and Europe decreased nearly 2%.

Vertical industry activity. Disclosed incidents impacting individuals spiked 78%, education sector increased 50%, healthcare increased 18%, public sector decreased 10%, and financial sector increased 89%.

Targeted attacks. McAfee identified a high number of campaigns that effectively minimized the data reconnaissance required to successfully execute attacks. Actors primarily focused on large organizations in the Government/Administration sector, followed by Finance, Chemical, Defense, and Education sectors.

Initial access was gained by spearphishing in 68% of attacks and 77% relied upon specific user actions for attack execution.

Underground. More than 2.2 billion stolen account credentials were made available on the cybercriminal underground over the course of the quarter. The largest dark market, Dream Market, announced its plan to close, citing a large number of distributed denial of service (DDoS) attacks. Law enforcement successfully seized and closed operations of xDedic, one of the largest RDP shops reportedly selling access to approximately 70,000 hacked machines.

Resources:

About McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. www.mcafee.com

About McAfee Labs and Advanced Threat Research

McAfee Labs and McAfee Advanced Threat Research are a leading source for threat research, threat intelligence, and cybersecurity thought leadership. With data from over a billion sensors across key threats vectors—file, web, message, and network— McAfee Labs and McAfee Advanced Threat Research deliver real-time threat intelligence, critical analysis, and expert thinking to improve protection and reduce risks.

McAfee® and the McAfee logo are trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others.

Contacts

Taylor Dunton 
McAfee 
[email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Security Pros Value Disclosure ... Sometimes
Dark Reading Staff 9/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I wish they'd put a sock in it.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16691
PUBLISHED: 2019-09-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2019-16707
PUBLISHED: 2019-09-23
Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring in suggestmgr.cxx.
CVE-2019-16708
PUBLISHED: 2019-09-23
ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.
CVE-2019-16709
PUBLISHED: 2019-09-23
ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.
CVE-2019-16710
PUBLISHED: 2019-09-23
ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.