The past year saw massive ransomware outbreaks turn into global events that reportedly cost enterprises billions of dollars. We also saw familiar threats like business email compromise (BEC) continue to be a consistent danger for enterprises. Meanwhile, volatile cryptocurrencies disrupted the threat landscape as their value steeply and quickly rose. To function in this environment, cybercriminals reworked old techniques to take advantage of the crypto-trends and also tried to exploit known vulnerabilities in new ways.
Ransomware brings about bigger global outbreaks despite fewer major players
The number of new ransomware families rose 32 percent from 2016 to 327, showing that there were still active ransomware developers trying to take advantage of a plateauing trend. However, the ransomware-related threats detected by the Trend Micro™ Smart Protection Network™ security infrastructure went in the opposite direction and dipped 41 percent. Apparently, only a select few of these new families actually made an impact in 2017.
But the ransomware events that did affect users were significantly larger. These widespread attacks struck multiple countries and reportedly resulted in billions of U.S. dollars in damage. In addition to WannaCry and Petya, the two most notorious, there was the more recent case of Bad Rabbit: In October, the ransomware hit a number of enterprises across Russia, Eastern Europe and the U.S.
This was a marked difference from 2016, in which more ransomware incidents were reported, but the scale of the damage was typically contained to local offices and the ransom demanded was just in the tens of thousands of dollars.
Ransomware remains a clear and steady threat as many old families still affect users worldwide. Meanwhile, the more recent virulent outbreaks show that the new families are growing more sophisticated and hitting larger targets. Developers are constantly experimenting, trying to find profitable strategies. In 2017, they used diverse new methods; for example, more had been using fileless infection and pre-execution machine learning evasion techniques in addition to taking advantage of old vulnerabilities.
Effective ransomware typically abuses known exploits and techniques. Enterprises should then be diligent and employ proper patching policies, while securing their systems with multilayered solutions.
Adaptable threats exploit known vulnerabilities in new ways
Several critical and controversial vulnerabilities were exploited by cybercriminals and used for major ransomware campaigns. Most notably, these included the known ones that were taken advantage of by the EternalBlue and EternalRomance exploits. The former was used in the WannaCry and Petya outbreaks, and the latter was used also in the Petya attacks and later in the Bad Rabbit incident.
Known vulnerabilities were exploited as well for purposes other than spreading ransomware. EternalBlue was also used by a cryptominer malware to spread filelessly. And the Linux vulnerability Dirty COW was used by ZNIU to compromise specific Android devices.
2017 also saw a substantial 98-percent increase in discovered zero-day vulnerabilities. Moreover, of the 119 zero-day vulnerabilities, all but six were related to supervisory control and data acquisition (SCADA). This increased focus on SCADA is particularly significant since major industrial complexes and critical infrastructures rely on this control system architecture to function. If exploited, zero-day vulnerabilities could result in huge losses and damage.
Amid growing awareness of the threat,BEC scams are still on the rise
Past cases have emphasized the risk BEC scams pose to all types of enterprises, from large multinationals to small businesses. But despite the increasing awareness, BEC scams still prevailed and grew in 2017. One incident, which cost a Japanese transportation company a reported US$3.4 million, happened just in December. This particular scam centered on a popular technique called the supplier swindle: impersonating a third-party supplier and manipulating the company into transferring funds. In another incident reported in July, a number of organizations in Germany received fake memos from “executives” that asked accounting personnel to send funds to fraudulent accounts.
Our data shows a steep rise of about 106 percent in attempts from the first half of 2017 to the second half. Consistent with previous years, the most targeted positions were finance-related: chief financial officer (CFO), finance controller, finance manager and finance director. The most spoofed were high-level executives: chief executive officer (CEO), managing director and president.
Cryptocurrency’s meteoric ascent inspires new mining malware and other threats
The value of cryptocurrency, particularly bitcoin, skyrocketed in the latter half of 2017. In the beginning of July, 1 bitcoin was valued at around US$2,500, and by Dec. 31, it was valued at over US$13,800. That steep and quick increase apparently prompted cybercriminals to target cryptocurrency through different methods. Some used social engineering attacks to directly target cryptocurrency wallets, while others evolved old ransomware threats to do the same. There were even attempts to mine cryptocurrency through mobile malware, despite the improbability of gaining any substantial amount by that means.
Some businesses had tried to capitalize on cryptocurrency by using mining software as alternatives to web advertising, but cybercriminals were also quick to take advantage. In mid-2017, cybercriminals started abusing the most popular of the open-source mining tools, Coinhive. By November, an abused variant of the Coinhive miner ranked as the sixth most common malware in the world, even though it was intended to be a legitimate alternative method of making money for websites.
These are particularly relevant threats since businesses are starting to use cryptocurrency and even launch their own; governments, including those of Venezuela and Dubai, United Arab Emirates, are also establishing their own cryptocurrencies. Security solutions with high-fidelity machine learning, web reputation services, behavior monitoring and application control could help minimize the impact of these threats.
The Trend Micro™ Smart Protection Network™ security infrastructure blocked more than 66 billion threats in 2017. Over 85 percent of these threats were emails that contained malicious content — emails have consistently been the most popular entry point for cybercriminals to reach users.
Overall threats blocked
By comparison, over 81 billion threats were blocked in 2016. We believe that the drop in the number of threats can be attributed to a shift from “spray and pray” methods to a more targeted approach to attacks.
|Event||Number of Events|
|TELNET default password login||30,116,181|
|Year||Data breaches disclosed||Affected records|
Other significant security stories of 2017 are included in our roundup, where we give details on how cybercriminals abused networked internet-of-things (IoT) devices and how big companies were hit by massive data breaches. Read our annual security roundup report and learn what’s new in the threat landscape and the security strategies you can employ against current and emerging threats.
DOWNLOAD FULL REPORT
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale