Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/21/2017
12:00 PM
50%
50%

Fileless Malware Attacks Hit Milestone in 2017

Non-malware attacks account for the majority of all attacks this year, and ransomware grows to a $5 billion industry, new data shows.

Fileless malware attacks using PowerShell or Windows Management Instrumentation (WMI) tools accounted for 52% of all attacks this year, beating out malware-based attacks for the first time, according to Carbon Black's 2017 Threat Report.

"Attackers will use whatever is the cheapest and most effective method," says Rick McElroy, security strategist for Carbon Black, explaining the shift to fileless malware from malware-based attacks.

Fileless malware attacks, also known as non-malware attacks, allow cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users' systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications.

Fileless attacks have been around since 2014, and surged last year as attackers became enamored with in-memory attacks and sought to perfect their malicious craft. That trend continued this year, with a 6.8% growth in monthly fileless attacks targeting Carbon Black's protected endpoints.

All types of attacks – both malware-based and fileless - grew 13% per month overall this year, according to the report.

Kryptik, Strictor, Nemucod, Emotet, and Skeeyah were the five top malware families this year, according to the report. And the top three industries hit this year by malware authors included finance, healthcare, and retail.

Ransomware 

Ransomware soared to a $5 billion industry this year, Cybersecurity Ventures reports. And that is up from $850 million in the previous year, according to Carbon Black's report.

"Both the volume of attacks and amount per attack were up," McElroy says. "But it was also the crazy value of Bitcoin that increased it to $5 billion."

Cybercriminals often demand ransom payments in Bitcoin, which has seen a sharp rise in value this year. According to CoinDesk, a single Bitcoin now carries a value of approximately $16,000, compared to January when it was $1,000 per coin.

Ransomware authors targeted the technology industry, followed by the government and non-profit sector, and legal industry, according to the report. The top five ransomware families in 2017 included Spora, Cryptxxx/Exxroute, Locky, Cerber, and Genasom.

In the future, Carbon Black expects the trend toward targeted ransomware attacks to increase. That feeling is shared by a growing number of research firms. Earlier this year, a handful of targeted attacks emerged that focused on specific industries, geographies, or company size, as cybercriminals seek a better return on investment, security experts says.

Cybercriminals are expanding beyond ransomware "spray and pray" attacks delivered by spam. Patrick Wheeler, director of threat intelligence for Proofpoint, says spray and pray campaigns were designed to infect as many machines as possible with the expectation that a certain percentage of the victims would pay the ransom.

Anton Ivanov, lead malware analyst with Kaspersky Lab, says ransomware will mostly involve targeted campaigns in the future because attackers know they can get more money with this method.

Financial organizations, higher-education institutions, and healthcare, manufacturing, and technology companies, are some of the industries that have been hit this year with targeted ransomware campaigns.

Carbon Black's McElroy says ransomware authors are also expected to increasingly focus on Linux systems, because that is the operating system used by a large percentage of enterprises. In addition, ransomware authors will also be able to increase their mobile reach, McElroy adds.

The Android operating system found in a large percentage of smartphones and tablets across the globe uses a flavor of Linux, McElroy notes.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
alphaa10
50%
50%
alphaa10,
User Rank: Strategist
1/23/2018 | 4:46:58 AM
Windows Broken
If we held a contest to see which lemming would be first to leap from a cliff, we can rest assured all would leap at the opportunity. If Windows users find the analogy distasteful, they did not read the memo, years ago, from a Microsoft executive who said, "Windows is just not designed for security."

Of course, it is easy to understand, none thinks his own Windows installation will be hit, and most act as though they simply do not care-- at least, until they do meet disaster.

But how remarkable that after at least 20 years of security crises of major and growing proportions with Windows, high-profile, relatively high-value Windows installations continue as a preferred target for any attacker.

 
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16695
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
CVE-2019-16696
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
CVE-2018-21018
PUBLISHED: 2019-09-22
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVE-2019-16692
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
CVE-2019-16693
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.