Fileless malware attacks using PowerShell or Windows Management Instrumentation (WMI) tools accounted for 52% of all attacks this year, beating out malware-based attacks for the first time, according to Carbon Black's 2017 Threat Report.
"Attackers will use whatever is the cheapest and most effective method," says Rick McElroy, security strategist for Carbon Black, explaining the shift to fileless malware from malware-based attacks.
Fileless malware attacks, also known as non-malware attacks, allow cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users' systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications.
Fileless attacks have been around since 2014, and surged last year as attackers became enamored with in-memory attacks and sought to perfect their malicious craft. That trend continued this year, with a 6.8% growth in monthly fileless attacks targeting Carbon Black's protected endpoints.
All types of attacks – both malware-based and fileless - grew 13% per month overall this year, according to the report.
Kryptik, Strictor, Nemucod, Emotet, and Skeeyah were the five top malware families this year, according to the report. And the top three industries hit this year by malware authors included finance, healthcare, and retail.
Ransomware soared to a $5 billion industry this year, Cybersecurity Ventures reports. And that is up from $850 million in the previous year, according to Carbon Black's report.
"Both the volume of attacks and amount per attack were up," McElroy says. "But it was also the crazy value of Bitcoin that increased it to $5 billion."
Cybercriminals often demand ransom payments in Bitcoin, which has seen a sharp rise in value this year. According to CoinDesk, a single Bitcoin now carries a value of approximately $16,000, compared to January when it was $1,000 per coin.
Ransomware authors targeted the technology industry, followed by the government and non-profit sector, and legal industry, according to the report. The top five ransomware families in 2017 included Spora, Cryptxxx/Exxroute, Locky, Cerber, and Genasom.
In the future, Carbon Black expects the trend toward targeted ransomware attacks to increase. That feeling is shared by a growing number of research firms. Earlier this year, a handful of targeted attacks emerged that focused on specific industries, geographies, or company size, as cybercriminals seek a better return on investment, security experts says.
Cybercriminals are expanding beyond ransomware "spray and pray" attacks delivered by spam. Patrick Wheeler, director of threat intelligence for Proofpoint, says spray and pray campaigns were designed to infect as many machines as possible with the expectation that a certain percentage of the victims would pay the ransom.
Anton Ivanov, lead malware analyst with Kaspersky Lab, says ransomware will mostly involve targeted campaigns in the future because attackers know they can get more money with this method.
Financial organizations, higher-education institutions, and healthcare, manufacturing, and technology companies, are some of the industries that have been hit this year with targeted ransomware campaigns.
Carbon Black's McElroy says ransomware authors are also expected to increasingly focus on Linux systems, because that is the operating system used by a large percentage of enterprises. In addition, ransomware authors will also be able to increase their mobile reach, McElroy adds.
The Android operating system found in a large percentage of smartphones and tablets across the globe uses a flavor of Linux, McElroy notes.