The 2019 State of Malware report from Malwarebytes is packed with statistics on when, where and what malware was detected through 2018. One trend and one fact stand out: consumer detections are decreasing while business infections are increasing; and there is a marked difference between western world threats and eastern threats.
The report compares the state of malware in 2018 to that of 2017 using intelligence compiled from researchers and data collected by honeypots, virtual sandboxes, and the company’s business and consumer product telemetry.
Over the last year, “Businesses became a greater target than consumers by a significant amount,” Adam Kujawa (director of Malwarebytes Labs) told SecurityWeek. “Based on our detections, the business side jumped up almost 80% from the previous year, while the consumer side dropped 3%.” The reason for this is that criminals will always go where the money is — and a perfect example can be seen in the evolution of ransomware through 2018.
Initial ransomware attacks were based on spray and pray spam campaigns and malvertising exploits. During 2018, however, this shotgun approach, according to the report, “was replaced with brute force, as witnessed in the most successful SamSam campaigns of the year.” The reason was that consumers became less likely to pay a ransom (through better understanding the risk, improved defenses, and the availability of decryptors from NoMoreRansom); while business was more likely to pay a higher ransom because of their need to maintain operations. “The chances of getting any significant return from spray and pray campaigns, or for a consumer to pay a ransom, is probably lower now than it has ever been,” added Kujawa.
Business-targeting ransomware attacks highlight another malware evolution of 2018: multi-mode attacks. This in turn is a response to attackers going where the money is. The big development in early 2018 was the rise of cryptomining malware, following the late 2017 boom in cryptocurrency values. In the latter half of 2018, these attacks tailed off. They haven’t disappeared, but are more likely now an option rather than a main driver.
But as this threat declined, a new one emerged: Emotet and Trickbot trojans. Kujawa doesn’t see a causal link between the two events, but nor does he think they are entirely coincidental. “I don’t think we would see this level of trojan infections if cryptomining was still worth it,” he said.
Emotet and Trickbot also highlight the switch in direction from consumer to business attacks. “Emotet and Trickbot have grown on the business side and declined on the consumer side,” he added, “to the extent that it is now one of the few major malware families that has more corporate than consumer real-estate.”
One of the reasons for this is the adoption of the Eternal exploits, and the inclusion of lateral movement in these new malware families.
“Emotet and Trickbot — basically banking trojans — are now also information stealers able to move laterally through a network. “Where the new exploits really thrive,” explained Kujawa, “is on corporate networks. Now, when you get something like Emotet getting a foothold on an endpoint — still being delivered by the same phishing email with a malicious Office document — it is able to drop Trickbot and other malware and start spreading through the network. Emotet was Malwarebytes’ number one trojan detection through the year, so it’s very popular.”
“Our Trojan detections were topped by the Emotet family, which can move laterally throughout corporate networks using exploits and credential brute forcing,” notes the report. “This same functionality is mirrored in other information stealing malware, such as TrickBot.”
Once an attacker gets a firm foothold in a network, he can choose which option is likely to make the most money: stealing data, or dropping a cryptominer or ransomware. Recent Ryuk ransomware attacks — such as those against the Onslow Water authority and the Tribune Publishing group started from Emotet infections.
Geographically, the areas experiencing the highest number of attacks in 2018 were the U.S.A, Indonesia and the UK. The U.S. is simply the most attractive and affluent target. Kujawa is not surprised that the UK also figures highly. While the population is not so high as other countries, the concentration of major international commercial companies within the UK make it an attractive target for cybercriminals targeting businesses.
Indonesia is included because of the large number of backdoor Vools attacks. This highlights one of the other major findings in Malwarebytes’ analysis: east and west suffer different threats. Emotet and Trickbot are western world problems — they do not occur so much in the east. Vools is an eastern problem, with little evidence in the west. Vools uses the same EternalBlue propagation method employed by WannaCry; and Shodan shows there are many severs still unpatched. Like elsewhere in the world, Vools largely delivered cryptominers in the first half of the year, but has become less virulent in the latter half.
Nevertheless, given the large number of servers still unpatched against the Eternal exploits in the east, Kujawa suspects there are many dormant and potential infections. “Since the infection vector is still available,” he commented, “it is interesting to see what they do next with all of the systems they have infected.”
A second regional difference is that exploit kits have diminished in the west but are prevalent in the east. “We don’t see a lot of EK activity in the west these days,” he told SecurityWeek, “because there aren’t so many exploits — there were a few new ones released earlier in the year, for Flash and IE, but for the most part EKs aren’t really a western problem anymore.” A failure to expeditiously patch systems in the east means that users remain as vulnerable to EKs as they are to the Eternal family.
“Our main threat in the west today,” added Kujawa, “is getting fooled by the social engineering phishing mails that deliver trojans such as Emotet.”
Santa Clara, Calif-based Malwarebytes — founded in 2008 by Bruce Harrison, Doug Swanson, Marcin Kleczynski and Marcus Chung — raised $50 million in a Series B funding round from Fidelity Management and Research Company in January 2016; bringing the total venture funding raised by the firm to $80 million.