Backdoor and ransomware detections increased 44% and 43%, respectively, in 2018, the same year nearly 30% of computers faced at least one malicious threat online, researchers report.
The Kaspersky Security Bulletin 2018 found malware should be among everyone's top concerns as we head into the new year. Kaspersky Labs handled 346,000 new malicious files each day in the first 10 months of 2018 and detected 21,643,946 unique malicious objects this year.
Backdoor detections made up 3.7% of all new malicious files analyzed by Kaspersky Lab researchers in the first 10 months of 2018, increasing from 2.27 million to 3.26 million year over year. Ransomware (Trojan-ransom) detections made up 3.5%, up from 2.2 million detections to 3.13 million.
Trojans made up half of all new malicious files analyzed. Researchers point to banking malware and malicious programs for ATMs and point-of-sale terminals, as a threat to watch. This year, Kaspersky tools blocked attempts to deploy one or more money-stealing programs on 830,135 devices.
While sophisticated APT groups are largley focused on corporate data theft, Kaspersky Lab researchers say the bulk of cybercrime is focused on financial theft. "Cybercriminals do this in any way they can," researchers say, as indicated by phishing campaigns centered around sporting events and holidays.
The spike in backdoors and ransomware incidate cybercriminals are showing interest in all the different ways they can attack users and make money at their expense, they explain. "This involves both the reuse of already existing efficient malware, as well as the development of new malware."
Of the 10 malware families most frequently deployed against banking users, the Zbot Trojan was the most common at 26.3% of attacks, and the Nymaim Trojan took second place with 19.8% of infections, followed by the SpyEye backdoor at 14.7%. Overall, seven of the top 10 banking malware families were Trojans and three were classified as backdoor, researchers found.
Crypto-ransomware proved a consistent threat as researchers observed 39,842 modifications of encryptors and 11 new families. Detections hit a high point in November 2017, when they hit 15,462 for the month. More than 220,000 corporate users and 27,000 small and midsize business users were hit with encryptors. September 2018 was the most active month, with 132,047 instances seen.
WannaCry was the most widespread ransomware family, at 29.3% of infections, followed by a "generic verdict" — the term researchers used for new and unknown samples — at 11.4%. Gandcrab ransomware fell in third place at 6.67%, followed by Cryakl (4.59%) and PolyRansom/Virlock (2.86%) in fourth and fifth place, respectively.
Most-Targeted Applications and Systems
This year will be remembered for the large number of targeted attacks leveraging zero-day exploits, researchers say.
Notable incidents included CVE-2018-4878 and CVE-2018-5002, which exploited Adobe Flash at the end of its life cycle. Acrobat Reader bug CVE-2018-4990 was abused for the first time in a long time. We also saw vulnerabilities in Windows script engine VBSscript: CVE-2018-8174 and CVE-2018-8373, and several flaws in the win32k.sys driver used by cybercriminals to escalate privileges in Windows and bypass a sandbox (CVE-2018-8120, CVE-2018-8453, CVE-2018-8589).
That said, the researchers have noticed attacks on certain popular tools decrease.
"As in the previous year, the share of users attacked by exploits for vulnerabilities in Adobe Flash Player and Internet Explorer has decreased, even though some new zero-day publicly exploited vulnerabilities have been found in both products," researchers point out. Further, the share of exploits for Android fell 9 percentage points to 18%, a sign that security is improving.
However, they add, there was a "significant increase" in the number of people attacked with Microsoft exploits — four times the average in 2017. This drove the share of Office exploits from 17.6% to 55%, driven by mass spam email campaigns spreading malicious documents with exploits for the CVE-2017-11882 and CVE-2018-0802 vulnerabilities.
"Exploits for these vulnerabilities have gained popularity among cybercriminals due to their stability and ease of use — all that's required to create an exploit is to modify the exploit builder script published on a public resource," they explain in the report.
Researchers anticipate attackers will continue to use Office documents as they've proven a reliable attack vector over the past couple of years. While other enterprise applications are popular, they're typically used in different scenarios. Cybercriminals prefer to use them in more targeted attacks.
As they ready themselves for 2019, Kaspersky Lab researchers advise organizations to audit their systems and determine how data is stored and handled, how an attacker could compromise their systems, and which actions could mitigate the effects of an attack.
"This includes deploying appropriate technology at all layers across the company, developing an incident response plan, and ensuring that they implement an ongoing staff awareness program," they explain. "So often, people are the means by which corporate systems are compromised."