Introduction
Back to Table of Contents
Page 5
ISTR March 2018
01
Executive Summary
From the sudden spread of WannaCry and
Petya/NotPetya, to the swift growth in
coinminers, 2017 provided us with another
reminder that digital security threats can come
from new and unexpected sources. With each
passing year, not only has the sheer volume of
threats increased, but the threat landscape
has become more diverse, with attackers
working harder to discover new avenues of
attack and cover their tracks while doing so.
Coin-mining attacks explode
Cyber criminals who have been firmly focused on
ransomware for revenue generation are now starting to
explore other opportunities. During the past year, the
astronomical rise in cryptocurrency values inspired many
cyber criminals to shift to coin mining as an alternative
revenue source. This coin mining gold rush resulted in an
8,500 percent increase in detections of coinminers on
endpoint computers in 2017.
With a low barrier of entry—only requiring a couple lines
of code to operate—cyber criminals are using coinminers
to steal computer processing power and cloud CPU usage
from consumers and enterprises to mine cryptocurrency.
While the immediate impact of coin mining is typically
performance related—slowing down devices, overheating
batteries and in some cases, rendering devices
unusable—there are broader implications, particularly for
organizations. Corporate networks are at risk of shutdown
from coinminers aggressively propagated across their
environment. There may also be financial implications for
organizations who find themselves billed for cloud CPU
usage by coinminers.
As malicious coin mining evolves, IoT devices will continue
to be ripe targets for exploitation. Symantec™ already
found a 600 percent increase in overall IoT attacks in
2017, which means that cyber criminals could exploit the
connected nature of these devices to mine en masse.
Spike in software
supply chain attacks
Despite the EternalBlue exploit wreaking havoc in 2017,
the reality is that vulnerabilities are becoming increasingly
difficult for attackers to identify and exploit. In response
to this, Symantec is now seeing an increase in attackers
injecting malware implants into the supply chain to
infiltrate unsuspecting organizations, with a 200 percent
increase in these attacks—one every month of 2017 as
compared to four attacks annually in years prior.
Hijacking software updates provides attackers with an
entry point for compromising well-protected targets, or
to target a specific region or sector. The Petya/NotPetya
(Ransom.Petya) outbreak was the most notable example:
after using Ukrainian accounting software as the point
of entry, Petya/NotPetya used a variety of methods to
spread across corporate networks to deploy the attackers’
malicious payload.
Ransomware business
experiences market correction
When viewed as a business, it’s clear that ransomware
profitability in 2016 led to a crowded market with
overpriced ransom demands. In 2017, the ransomware
“market” made a correction with fewer ransomware
families and lower ransom demands—signaling that
ransomware has become a commodity. Many cyber
criminals may have shifted their focus to coin mining as
an alternative to cash in while cryptocurrency values are
high. Some online banking threats have also experienced
a renaissance as established ransomware groups have
attempted to diversify.
Last year, the average ransom demand dropped to $522,
less than half the average of the year prior. And while the
number of ransomware variants increased by 46 percent,
indicating the established criminal groups are still quite
productive, the number of ransomware families dropped,
suggesting they are innovating less and may have shifted
their focus to new, higher value targets.
评论0