Ransomware down, but not out, report reveals

The decline of ransomware in the first half of the year and the rise of alternative threats in its place has been confirmed by the latest attack landscape report by security firm F-Secure.

The report is based on monitored activity for the first six months of the year on F-Secure’s honeypot decoy servers, which are set up to attract the interest of attackers, and the malware and social engineering trends the firm’s researchers have seen over the same time period. 

Ransomware, which rose to prominence in 2016 and reigned as a top threat, declined in numbers throughout the second half of 2017, but the report warns that despite this reduction in volume, it remains a potent threat and precautions must still be taken against it.

Several factors can account for this decline, the report said, including the fact that targeted companies are no longer as willing to pay ransoms due to a higher level of awareness about the threat and how to take precautionary measure against it.

While campaigns such as the No More Ransom project have served to educate the public, the ransomware industry was harmed with the NotPetya and WannaCry outbreaks, during which victims who paid the ransom did not actually receive their promised files back. This damaged the reputation many ransomware criminals had worked hard to build up, the report said.

Another reason for ransomware’s retreat, the report said, is that anti-malware technologies are effectively blocking bulk and commoditised threats, with attackers resorting to various ways of avoiding detection.

But the shift away from ransomware means something else moves in to take its place, the report said, and in the first six months of the year, this was cryptojacking, which is the unauthorised use of a victim’s machine to mine cryptocurrency .

Cryptomining scripts can now be found moving laterally across corporate networks using exploits such as EternalBlue combined with credential-grabbing techniques in Mimikatz, the report warns.

Other key findings of the report include that the internet of things (IoT) continues to be a source of interest for attackers looking for bots to recruit into their ranks, the report notes, as evidenced by the most common malware seen in F-Secure’s honeypots: a Linux Trojan, PNScan, which infects poorly secured Linux IoT devices and routers.

The top banking threat over the period, the report said, was Trickbot, which appeared in 2016 and has continued to add new features to its capabilities. Its target list, which includes more than 400 banks, names major banks in the US and Europe.

Known to use EternalBlue to infect unpatched Windows systems, Trickbot then uses Mimikatz to grab credentials to spread to patched systems. At one point over the period, the report said Trickbot also incorporated the coin mining module XMRig as a backup revenue source.

The report highlights that spam saw a resurgence in the first half of the year, with email messages booby-trapped with malicious URLs and attachments being the top infection method.

F-Secure analysis shows that 31% of spam email featured links to malicious websites, 23% contained malicious attachments and 85% of malware attachments were one of five file types: 7Z, DOC, PDF, XLS, or ZIP, and most were infostealers, remote access Trojans (RATs) and banking Trojans.

The remaining 46% of spam was mostly dating scams, which feature an email address where the recipient can contact a supposedly single and available individual, which then leads to varying ways of profiting such as getting the victim to register to a paid dating site.

The resurgence of spam can be attributed to improved security of systems against software exploits and vulnerabilities. “With the declining success rates of other vectors, criminals are reduced to sending spam, constantly redeveloping its characteristics and content to find new angles to hook people,” the report said.

As system security and user awareness improve and seriously flawed software becomes less common, the report said cyber attackers are likely to adapt and adjust their tactics to continue to gain victims, the report concludes.