Global malware down but ransomware up, with UK hard hit

Despite a global decrease in the volume of malware in the past year, ransomware is surging once again, and the UK is one of the worst-hit countries, a report reveals

The first half of 2019 has seen a resurgence of ransomware, with the UK the worst-hit region, according to the latest threat report from security firm SonicWall.

Despite a 59% decline in ransomware in the UK in 2018, ransomware is up 195% in the first six months of 2019 compared with the same period a year ago, says the report, which is based on data from over a
million security sensors in more than 200 countries.

Ransomware and other forms of cyber extortion are currently the most popular forms of cyber criminal activity in the UK, Rob Jones, director of threat leadership at the National Crime Agency (NCA), told Computer Weekly in a recent interview.

Global ransomware volume reached 110.9 million for the first half of 2019, a 15% year-to-date increase. The top exceptions were Germany (-71%), India (-62%) and the US (-21%).

SonicWall threat researchers attribute the global rise in ransomware to criminals’ new preference for the ransomware-as-a-service (RaaS) model and open source malware kits, which lower the barriers to entry, making malware more widely available to cyber criminals with little or no technical capability.

The top two RaaS families detected in the first half of 2019 were Cerber (39.5 million) and Gandcrab (4 million). The top open source ransomware by volume was HiddenTear (4 million) and CryptoJoker (2.4 million).

The increase in ransomware is among a few exceptions to a worldwide malware decrease of 20%, with some countries recording above-average falls, such as Germany (63%) and France (53%). The malware volume for the UK was down by 9%, while the US recorded a 17% decrease.

Some countries showed an increase, however, with the biggest rises in India (25%), Switzerland (72%) and the Netherlands (3%).

In addition to ransomware, the top threat types that showed an increase were encrypted threats, which saw a spike of 76% in the first half of the year, malware targeting internet of things (IoT) devices (up 55%) and cryptojacking malware, which was up 9% because of an upswing in the value of the bitcoin cryptocurrency.

Read more about weaponised documents

As businesses and consumers continue to connect devices to the internet without proper security measures, IoT devices have been increasingly exploited by cyber criminals to distribute malware.

SonicWall recorded 13.5 million IoT malware attacks in the first half of the year – a 55% global year-to-date increase. In 2018, researchers recorded 32.7 million IoT attacks, which was a 217.5% increase on the 10.3 million IoT attacks recorded in 2017.

Other attack types on an upward trend in the first six months of 2019 were web app attacks, up 11% compared with the same period a year ago, and intrusion attempts, up 4%.

“Organisations continue to struggle to track the evolving patterns of cyber attacks,” said Bill Conner, president and CEO at SonicWall. “There is a shift to malware cocktails and evolving threat vectors, which makes it extremely difficult for them to defend themselves.

“In the first half of 2019, SonicWall Real-Time Deep Memory Inspection (RTDMI) technology unveiled 74,360 ‘never-before-seen’ malware variants. To be effective, companies must harness innovative technology, such as machine learning, to be proactive against constantly changing attack strategies.”

Read more about ransomware as a service

The report also showed that attacks against non-standard ports remain a concern, with a quarter of malware attacks coming across non-standard ports in May 2019 alone.

Malicious PDFs and Microsoft Office files also remain dangerous to businesses, the report showed. In February and March 2019, SonicWall found that 51% of never-before-seen attacks came via PDFs and 47% via Office files.

Given their high success rate, malicious Office documents remain a preferred weapon in a cyber criminal’s arsenal, according to McAfee researchers commenting on the arrest of a man in the Netherlands in connection with the large-scale production and sale of malware toolkits.

“Every day, thousands of people receive emails with malicious attachments in their email inbox,” the researchers said. “Disguised as a missed payment or an invoice, a cyber criminal sender tries to entice a victim to open the document and enable the embedded macro. This macro then proceeds to pull in a whole array of nastiness and infect a victim’s machine.”

To take advantage of this demand and generate revenue, some criminals create off-the-shelf toolkits for building malicious Office documents, the researchers said. These toolkits are mostly offered for sale on underground cyber criminal forums.

Next Steps

Malware vs. ransomware: What's the difference?

Read more on Hackers and cybercrime prevention

Data Center
Data Management