Ransomware Declines, Cryptomining Malware Becomes 2018's #1 Threat

Ransomware Loses Its Cool Factor

Less than a year ago, ransomware was the top payload of choice for attackers looking to earn Bitcoin. During the first half of 2017, if your company suffered a malware infection, it was more likely to be ransomware than anything else. At the peak of the ransomware boom in June 2017, researchers at Malwarebytes reported 7 out of every 10 malware payloads were ransomware. 

Then something interesting happened... ransomware usage plummeted.

In July 2017, the ratio of ransomware dropped to less than 30 percent of all malware payloads. By December, the ratio had fallen below 5 percent.

Ransomware use plummets in second half of 2017. Source: Malwarebytes

Barkly Protects, Inc. reports several factors that explain the dramatic decline:

1. Awareness of ransomware reached a tipping point. By the time the WannaCry outbreak hit in May 2017, infecting hundreds of thousands of computers all over the world, ransomware had been steadily growing as a top security concern for years. But WannaCry brought that awareness to another level and highlighted just how urgent the threat had become. The mainstream attention it generated fueled renewed interest and addressing ransomware quickly became the #1 IT security priority.   
   
   
2. Few victims are actually paying ransoms. When WannaCry hit, much of the media attention focused on how quickly and how far it was spreading. But one overlooked stat was how much money the attackers behind the ransomware actually received — $143,000. That's not a bad sum for a single attack, but when you take into account that this was the biggest ransomware outbreak of all time, that's a fairly low chunk of change. And it's extremely telling of ransomware's biggest problem these days — victims simply aren't likely to pay. 
   
   
3. The unpredictability of the Cryptocurrency market. In order to pull off a successful ransomware heist, the stars really have to align for attackers. Not only do they have to infect a victim who doesn't have reliable backups, the victim also has to have quick and easy access to cryptocurrency, be willing to put their trust in a criminal, and pay them upfront. Attackers also have to make reasonable ransom demands, which means keeping a pulse on the ever-changing price of cryptocurrency, especially during boom and bust periods. Otherwise, a good day for cryptocurrency markets can result in victims being priced out, while a bad day can dramatically decrease profits. 
   
   As a result, ransomware has become more trouble than it's worth for many attackers. Especially when there are now easier, sneakier ways of making money.
   
   
4. Cryptocurrency-mining malware is a sneakier, more effective alternative to ransomware. Cryptocurrency-mining malware refers to software programs and malware components developed to take over a computer's resources and use them for cryptocurrency mining without a user's explicit permission. Why bother trying to extort victims when you can hijack their computers' CPU power to mine cryptocurrency directly, without them knowing? That's the question attackers have been asking themselves lately, and the majority have switched to dropping cryptomining malware as a result. 

Cryptomining Malware Takes Center Stage

Rather than hitting businesses upfront with ransomware, attackers are going back to distributing malware carefully designed to slip through the cracks. This shift fundamentally changes the nature of attacks and how businesses should protect themselves from them.

Attackers have used cryptomining malware numerous times in just the first few months of 2018:

• January 5: Python-based PyCryptoMiner botnet infects Linux-based systems
• January 10: Attacker attempts to infect 30% of the world's networks with "RubyMiner"
• January 11: Attackers make $226,000 installing Monero-mining malware on Oracle WebLogic servers
• January 31: Smominru botnet uses over 500,000 infected computers to generate more than $3 million in Monero
• February 2: New Mac cryptominer distributed via MacUpdate hack
• February 5: "Wormable" cryptomining malware dubbed ADB.Miner targets Android devices
• February 7: Sophisticated data-stealing, cryptomining malware campaign hits U.S. and Asia
• February 8: Tennessee hospital hit with cryptomining malware
• February 12: 4,000 government and other organization websites hacked to mine cryptocurrency 
• February 13: Zero-day vulnerability in Telegram messenger app exploited to install cryptomining malware 
• February 13: Cryptomining scripts found in 19 Google Play apps
• February 15: Massive cryptomining operation exploits Jenkins servers, makes $3 million mining Monero
• February 20: Hackers infiltrate Tesla, drop cryptominers
• March 10: Hackers target 400,000 computers with mining malware

In addition to adding cryptomining scripts to malicious or compromised websites, cryptominer payloads have also taken the place of ransomware payloads in a variety of malware campaigns. They're increasingly found in spam emails and exploit kits, and other applications such as Facebook Messenger are being exploited to spread them as well.  

Cryptomining malware is more likely to persist in infected machines or websites because it's often either unnoticed or tolerated by users, who find a performance impact more acceptable than dealing with an immediate problem brought on by a ransomware attack.

What the Rise in Cryptomining Malware Means for IT Security in 2018

The move from ransomware to cryptomining malware represents a significant shift in priorities for attackers. While ransomware's goal is to inflict damage, cryptomining malware's goal is to evade detection and run in the background for as long as possible. 

Businesses need to adapt their security efforts accordingly, and make sure they're properly equipped to address infections that aren't as blatant as ransomware — infections that are instead becoming increasingly stealthy.

How do you fight an infection you may not even know you have? The best answer is preventing it in the first place. Partnering with a reliable MSP that will keep your endpoints protected drastically decreases the threat of cryptomining malware making its way onto your machines.

To learn about how Apogee can keep your business protected, contact us today.

Source: Barkly Protects, Inc.