Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/25/2018
02:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ransomware Detections Up 90% for Businesses in 2017

Last year, cybercriminals shifted from consumer to enterprise targets and leveraged ransomware as their weapon of choice.

Ransomware became the fifth-most-common threat for businesses in 2017 as detections increased by 90% from the previous year. Attacks also hit consumers hard, reaching a 93% detection rate year-over-year, reports Malwarebytes.

The company today released its "2017 State of Malware Report," which highlights trends based on telemetry data collected from products between January and November 2016, and January and November 2017. Analysts also pulled data from the company's threat-facing honeypots in 2017 and combined this with their own observations and analysis.

"2016 was the year of ransomware for consumers," says Malwarebytes CEO Marcin Kleczynski in an interview with Dark Reading. "2017 was the year of ransomware for businesses."

Malwarebytes' findings support a growing body of research highlighting the 2017 ransomware spike. The Online Trust Alliance (OTA) states attacks targeting businesses nearly doubled from 82,000 in 2016 to 159,000 last year. Ransomware attacks hit 134,000 in 2017 — double the 2016 count — and were the primary driver for the overall growth in cybercrime.

In its "2017 Global Threat Intelligence Report," NTT Security found 77% of all detected ransomware was in four industries: business and professional services (28%), government (19%), healthcare (15%), and retail (15%). Ransomware-related incidents were the most common, at 22%, and made up half of all attacks targeting the healthcare industry.

Malwarebytes researchers also noticed criminals got creative with delivery methods. Leaked government exploits — such as EternalBlue, used in WannaCry — in addition to compromised update processes and increased geo-targeting were used to evade detection.

Development of exploit kits hit a standstill last year. Analysts didn't detect any new zero-day exploits used by any exploit kits in the wild. It's a "significant change" from previous years, in which exploits were the primary method of infection. Cybercriminals are instead focusing on evading detection and integrating multiple exploits into Microsoft Office documents.

Attackers started leveraging cryptocurrency mining for financial gain and using victims' system resources to mine currencies. Tactics include compromised websites serving up drive-by mining code, miners delivered via malicious spam and exploit kit drops, and adware bundlers pushing miners.

Looking Ahead
Ransomware may have been hot in 2017, but, as all trends do, it has started to fade as businesses have smartened up and learned how to protect themselves. "You're seeing less and less returns, as a criminal," says Kleczynski of the ransomware slowdown. "It's now hard to find and infect a company that really gets impacted by ransomware like the [the UK's National Health Service] did."

Cybercriminals are pivoting toward banking Trojans, spyware, and hijackers to attack enterprise targets and spy, move throughout their networks, and steal data, including login credentials, contact lists, and credit card data. Banking Trojans were up 102% in the second half of 2017.

"The strategy of cybercriminals continues to shift," notes Kleczynski, adding that hijackers were up 40% overall last year. Spyware detections increased 30%, researchers found.

Looking toward the year ahead, he anticipates the largest incident in 2018 will be on the same level as the Mirai botnet that brought down major websites in October 2016. Mirai was "scratching the surface" on the number of unprotected IoT devices, he says.

"The biggest threat this year, in my opinion, is another Mirai-like attack," Kleczynski continues. "We'll see several this year that will take down major websites."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/25/2018 | 4:49:44 PM
What's the score? II
"Attackers started leveraging cryptocurrency mining for financial gain and using victims' system resources to mine currencies. Tactics include..."

You can add: disguising as ransomware. 

Cryptocurrency isn't the only means of processing a ransomware payoff; but the advantages are obvious.  Also obvious is that the proliferation of ransomware strains, attacks and attackers coincides with the emergence of cryptocurrencies. 

That a successful RW attack requires the same sort of unauthorized requisition of the victim's computing device's resources, as would enable cryptocurrency mining, is obvious, as well. 

In both cases, the characteristics and availability of cryptocurrency provide an unprecedented opportunity for cybercriminals. 

When you tally the costs of cybercrimes, where cryptocurrency provides a game-changing level of means, motive and opportunity, don't stop at the costs in RW payouts, or any of the costs to businesses which might be covered by insurance, but by the cost of that insurance - and all the other costs in money, resources, talent and attention that have increased as a result. 

Draw up a society-wide balance sheet, put the costs on one side, and the benefits of cryptocurrency on the other.  Then ask: What's the score?
AnupG220
50%
50%
AnupG220,
User Rank: Author
1/28/2018 | 8:40:53 PM
Stockpiling BItcoin for ransomware attacks
Funny how we all used to shake our colletive heads at the companies that would stockpile bitcoin in case they got hit with a ransomware attack. Now it looks like they made a smart investment if they were stockpiling for some time. Hopefully they didn't need to pay up!
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...