The Paradox of Cyberthreats

As environments become progressively interconnected, threats become increasingly complicated. The top security events of the past year make this apparent — and their repercussions make the implementation of smart protections all the more important.

The past year saw massive ransomware outbreaks turn into global events that reportedly cost enterprises billions of dollars. We also saw familiar threats like business email compromise (BEC) continue to be a consistent danger for enterprises. Meanwhile, volatile cryptocurrencies disrupted the threat landscape as their value steeply and quickly rose. To function in this environment, cybercriminals reworked old techniques to take advantage of the crypto-trends and also tried to exploit known vulnerabilities in new ways.

Ransomware brings about bigger global outbreaks despite fewer major players

Ransomware brings about bigger global outbreaks despite fewer major players

The number of new ransomware families rose 32 percent from 2016 to 327, showing that there were still active ransomware developers trying to take advantage of a plateauing trend. However, the ransomware-related threats detected by the Trend Micro™ Smart Protection Network™ security infrastructure went in the opposite direction and dipped 41 percent. Apparently, only a select few of these new families actually made an impact in 2017.

More ransomware families emerged in 2017: Comparison of total number of new ransomware families seen
2016 New Families
2017 New Families

Fewer major players despite increase in new ransomware families: Comparison of total number of detected ransomware-related threats
2016 Ransomware-related threats
2017 Ransomware-related threats

But the ransomware events that did affect users were significantly larger. These widespread attacks struck multiple countries and reportedly resulted in billions of U.S. dollars in damage. In addition to WannaCry and Petya, the two most notorious, there was the more recent case of Bad Rabbit: In October, the ransomware hit a number of enterprises across Russia, Eastern Europe and the U.S.

This was a marked difference from 2016, in which more ransomware incidents were reported, but the scale of the damage was typically contained to local offices and the ransom demanded was just in the tens of thousands of dollars.

Prevailing ransomware families: Top ransomware families in 2017 remaining from 2016

Ransomware remains a clear and steady threat as many old families still affect users worldwide. Meanwhile, the more recent virulent outbreaks show that the new families are growing more sophisticated and hitting larger targets. Developers are constantly experimenting, trying to find profitable strategies. In 2017, they used diverse new methods; for example, more had been using fileless infection and pre-execution machine learning evasion techniques in addition to taking advantage of old vulnerabilities.

Effective ransomware typically abuses known exploits and techniques. Enterprises should then be diligent and employ proper patching policies, while securing their systems with multilayered solutions.

Adaptable threats exploit known vulnerabilities in new ways

Adaptable threats exploit known vulnerabilities in new ways

Several critical and controversial vulnerabilities were exploited by cybercriminals and used for major ransomware campaigns. Most notably, these included the known ones that were taken advantage of by the EternalBlue and EternalRomance exploits. The former was used in the WannaCry and Petya outbreaks, and the latter was used also in the Petya attacks and later in the Bad Rabbit incident.

Known vulnerabilities were exploited as well for purposes other than spreading ransomware. EternalBlue was also used by a cryptominer malware to spread filelessly. And the Linux vulnerability Dirty COW was used by ZNIU to compromise specific Android devices.


A marked increase in zero-day vulnerabilities: Comparison of number of zero-day vulnerabilities and SCADA-related zero-day vulnerabilities between 2016 and 2017

2017 also saw a substantial 98-percent increase in discovered zero-day vulnerabilities. Moreover, of the 119 zero-day vulnerabilities, all but six were related to supervisory control and data acquisition (SCADA). This increased focus on SCADA is particularly significant since major industrial complexes and critical infrastructures rely on this control system architecture to function. If exploited, zero-day vulnerabilities could result in huge losses and damage.

Amid growing awareness of the threat, BEC scams are still on the rise

Amid growing awareness of the threat,BEC scams are still on the rise

Past cases have emphasized the risk BEC scams pose to all types of enterprises, from large multinationals to small businesses. But despite the increasing awareness, BEC scams still prevailed and grew in 2017. One incident, which cost a Japanese transportation company a reported US$3.4 million, happened just in December. This particular scam centered on a popular technique called the supplier swindle: impersonating a third-party supplier and manipulating the company into transferring funds. In another incident reported in July, a number of organizations in Germany received fake memos from “executives” that asked accounting personnel to send funds to fraudulent accounts.

Our data shows a steep rise of about 106 percent in attempts from the first half of 2017 to the second half. Consistent with previous years, the most targeted positions were finance-related: chief financial officer (CFO), finance controller, finance manager and finance director. The most spoofed were high-level executives: chief executive officer (CEO), managing director and president.

Recorded BEC Attempts in 2017


BEC attempts more than doubled in the second half of the year over the first half: Comparison of BEC attempts between 1H and 2H of 2017

Cryptocurrency’s meteoric ascent inspires new mining malware and other threats

Cryptocurrency’s meteoric ascent inspires new mining malware and other threats

The value of cryptocurrency, particularly bitcoin, skyrocketed in the latter half of 2017. In the beginning of July, 1 bitcoin was valued at around US$2,500, and by Dec. 31, it was valued at over US$13,800. That steep and quick increase apparently prompted cybercriminals to target cryptocurrency through different methods. Some used social engineering attacks to directly target cryptocurrency wallets, while others evolved old ransomware threats to do the same. There were even attempts to mine cryptocurrency through mobile malware, despite the improbability of gaining any substantial amount by that means.

Some businesses had tried to capitalize on cryptocurrency by using mining software as alternatives to web advertising, but cybercriminals were also quick to take advantage. In mid-2017, cybercriminals started abusing the most popular of the open-source mining tools, Coinhive. By November, an abused variant of the Coinhive miner ranked as the sixth most common malware in the world, even though it was intended to be a legitimate alternative method of making money for websites.

These are particularly relevant threats since businesses are starting to use cryptocurrency and even launch their own; governments, including those of Venezuela and Dubai, United Arab Emirates, are also establishing their own cryptocurrencies. Security solutions with high-fidelity machine learning, web reputation services, behavior monitoring and application control could help minimize the impact of these threats.

Threat Landscape

The Trend Micro™ Smart Protection Network™ security infrastructure blocked more than 66 billion threats in 2017. Over 85 percent of these threats were emails that contained malicious content — emails have consistently been the most popular entry point for cybercriminals to reach users.

Threat Landscape

The Trend Micro™ Smart Protection Network™ security infrastructure blocked more than 66 billion threats in 2017. Over 85 percent of these threats were emails that contained malicious content — emails have consistently been the most popular entry point for cybercriminals to reach users.

Overall threats blocked


1H 2016
1H 2017
2H 2016
2H 2017

Fewer threats blocked in 2017 than in 2016: Overall threats blocked by the Trend Micro Smart Protection Network infrastructure, 2016 vs. 2017

By comparison, over 81 billion threats were blocked in 2016. We believe that the drop in the number of threats can be attributed to a shift from “spray and pray” methods to a more targeted approach to attacks.

A variation in vulnerability count direction: Comparison of number of vulnerabilities found per vendor between 2016 and 2017

Event Number of Events
Cryptocurrency mining 45,630,097
TELNET default password login 30,116,181
MS17-010 SMB 12,164,033
Brute-force login 3,695,143
ICMP BlackNurse 1,792,854
Others 16,701,211

Cryptocurrency mining and TELNET events outnumbered others: Network events in 2017 based on data from the Trend Micro™ Smart Home Network solution

Year Data breaches disclosed Affected records
2016 813 3,310,435,941
2017 553 4,923,053,245

Fewer disclosures, greater number of affected records: Comparison of the number of data breaches disclosed and the number of affected records between 2016 and 2017

* Note: Yahoo’s data breach disclosure reported in October 2017 is reflected in the number of affected records for 2017. The figures are computed based on data from Privacy Rights Clearinghouse.

Other significant security stories of 2017 are included in our roundup, where we give details on how cybercriminals abused networked internet-of-things (IoT) devices and how big companies were hit by massive data breaches. Read our annual security roundup report and learn what’s new in the threat landscape and the security strategies you can employ against current and emerging threats.



Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.