SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
2017’s threat landscape report shows ransomware epidemic
Thu, 30th Nov 2017
FYI, this story is more than a year old

2017 is rapidly drawing to a close with Christmas just around the corner – and what a year it has been for cybercriminals.

Bitdefender recently released its Global Threat Landscape Report for 2017, that delves into what has been an incredible year with some of the most high-profile and defining moments for some time.

The cybersecurity heavyweight is constantly monitoring its global network of more than 500 million sensors and honeypots for emerging threats or low-key cyberattacks that try to fly under security products' radar.

The report is built off this aggregated data that the company asserts enables it to paint an accurate picture of what is happening in the industry.

BitDefender says these next-gen targeted attacks are reshaping the corporate and government security landscape in addition to fall-out in the consumer space as commercial cybercriminals adopt leaked exploits and advanced lateral movement technologies into their own payloads.

Ransomware emerged as the most frequently encountered threat (again) with the number of new major ransomware families (with dozens or even hundreds of variations per family) in 2017 surpassing 160.

The most prolific ransomware strain is Troldesh / Crysis, with hundreds of sub-variants seen to date. GlobeImposter, another extremely prolific ransomware family, competes head-to-head with Troldesh in the number of released sub-variants.

“The commercial malware ecosystem is intensely focused on developing and planting ransomware,” the report states.

“Our stats show that one in six spam e-mail messages comes bundled with some form of ransomware (link to drive-by download sites, attachments rigged with ransomware or even JavaScript/VBS downloaders for ransomware).

According to Bitdefender, this year also saw the reemergence of Qbot (also known as Brresmon or Emotet) which has been around for years as a multi-purpose, network-aware worm with back door capabilities.

Its new incarnation has a significant redesign of the command and control infrastructure with a cloud-based polymorphic engine that allows it to take a virtually unlimited number of forms to avoid AV detection.

Furthermore, ransomware that is specifically targeted at companies is now a ‘thing' with organisations facing extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers.

Ransomware like Troldesh and GlobeImposter are now equipped with lateral movement tools to enable them to infect the organisation and log clean-up mechanisms to cover their tracks.

“Crypto-currency miners have taken multiple shapes and approaches in 2017,” the report states.

“Traditional illicit coin miners have rushed to adopt lateral movement tactics such as the EternalBlue and EternalRomance exploits, allegedly originating from the NSA, to infect computers in organizations and increase mining efforts.

Bitdefender says one of the main drivers of this category is the Monero miner Adylkuzz, which appeared in early May around the same time as WannaCry. The report states another notable development is cybercriminals' move to integrate mining code in compromised websites to reach a broader audience and increase the mining yield.

Looking ahead, Bitdefender says the developments of this year will continue in the new year.

“After years of focusing on individuals, malware authors will increasingly target enterprises and networks of computers,” the report states.

“Lateral movement will become standard in most malware samples, either via password-grabbing utilities like Mimikatz, or by exploiting wormable vulnerabilities.

Bitdefender expects the threat landscape to remain faithful to the malware with the best pay day – ransomware, banker Trojans and digital currency minors, but these threats will undergo major changes in the way they perform.