Ransomware samples grow 118 per cent; cybercriminals adopt new tactics and code innovations

McAfee, the device-to-cloud cybersecurity company, today released its McAfee Labs Threats Report: August 2019 examining cybercriminal activity and the evolution of cyber threats in Q1 2019. McAfee Labs saw an average of 504 new threats per minute in Q1 and a resurgence of ransomware along with changes in campaign execution and code. More than 2.2 billion stolen account credentials were made available on the cybercriminal underground over the course of the quarter. Sixty-eight per cent of targeted attacks utilized spearphishing for initial access, 77 per cent relied upon user actions for campaign execution.

Each quarter, McAfee assesses the state of the cyber threat landscape based on in-depth research, investigative analysis, and threat data gathered by the McAfee Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.

Ransomware Resurgence Features Code Innovations and New Campaign Tactics

McAfee Advanced Threat Research (ATR) observed innovations in ransomware campaigns, with shifts in initial access vectors, campaign management and technical innovations in the code.

While spearphishing remained popular, ransomware attacks increasingly targeted exposed remote access points, such as Remote Desktop Protocol (RDP); these credentials can be cracked through a brute-force attack or bought on the cybercriminal underground. RDP credentials can be used to gain admin privileges, granting full rights to distribute and execute the malware on corporate networks.

McAfee researchers also observed actors behind ransomware attacks using anonymous email services to manage their campaigns versus the traditional approach of setting up command-and-control (C2) servers. Authorities and private partners often hunt for C2 servers to obtain decryption keys and create evasion tools. Thus, the use of email services is perceived by threat actors to be a more anonymous method of conducting criminal business.

The most active ransomware families of the quarter appeared to be Dharma (also known as Crysis), GandCrab and Ryuk. Other notable ransomware families of the quarter include Anatova, which was exposed by McAfee Advanced Threat Research before it had the opportunity to spread broadly, and Scarab, a persistent and prevalent ransomware family with regularly discovered new variants. Overall, new ransomware samples increased by 118 per cent.

Q1 2019 Threats Activity

Attack vectors: Malware led disclosed attack vectors, followed by account hijacking and targeted attacks.

Cryptomining: New coin mining malware increased by 29 per cent. McAfee ATR observed CookieMiner malware targeting Apple users, attempting to obtain bitcoin wallets credentials. As a byproduct, the malware also gained access to passwords and browsing data. Total coin mining malware samples grew 414 per cent over the past four quarters.

Fileless malware: New JavaScript malware declined 13 per cent, while total malware grew 62 per cent over the past four quarters. New PowerShell malware increased 460 per cent due to the use of downloader scripts. Total malware grew 76 per cent over the past four quarters.

IoT: Cybercriminals continued to leverage lax security in IoT devices. New malware samples increased 10 per cent; total IoT malware grew 154 per cent over the past four quarters.

Malware overall: New malware samples increased by 35 per cent. New Mac OS malware samples declined by 33 per cent.

Mobile malware: New mobile malware samples decreased 15 per cent, total malware grew 29 per cent over the past four quarters.

Security incidents: McAfee Labs counted 412 publicly disclosed security incidents, an increase of 20 per cent from Q4. Thirty-two per cent of all publicly disclosed security incidents took place in the Americas, followed by 13 per cent in Europe and 13 per cent in Asia-Pacific.

Regional Targets: Disclosed incidents targeting the Asia-Pacific region increased 126 per cent, the Americas declined by nearly 3 per cent and Europe decreased by nearly 2 per cent.

Vertical industry activity: Disclosed incidents impacting individuals spiked 78 per cent, education sector increased 50 per cent, healthcare increased 18 per cent, public sector decreased 10 per cent, and financial sector increased 89 per cent.

Targeted attacks: McAfee identified a high number of campaigns that effectively minimized the data reconnaissance required to successfully execute attacks. Actors primarily focused on large organizations in the Government/Administration sector, followed by Finance, Chemical, Defense, and Education sectors.

Initial access was gained by spearphishing in 68 per cent of attacks and 77 per cent relied upon specific user actions for attack execution.

Underground: More than 2.2 billion stolen account credentials were made available on the cybercriminal underground over the course of the quarter. The largest dark market, Dream Market, announced its plan to close, citing a large number of distributed denial of service (DDoS) attacks. Law enforcement successfully seized and closed operations of xDedic, one of the largest RDP shops reportedly selling access to approximately 70,000 hacked machines.