The Internet can be a hostile environment. The threat of a cyberattack is omnipresent as new vulnerabilities are released and a suite of tools to exploit them is produced. As a result, the pressure on organizations (and their employees) to protect customer data and defend against attacks is increasing. But aside from using firewalls and antivirus software, how can we expect businesses, especially small ones with limited budgets and security skills, to stay on top of threats? constant evolution?
About the Author Tyler Moffitt, Security Analyst, Webroot. As our nastiest malware 2019 list points out, cyberattacks are getting more advanced and harder to detect. From ransomware strains to cryptomining campaigns, providing the most useful attacks beyond phishing, cybercriminals make better use of available stolen personal information to create more convincing and targeted attacks. Ultimately, that means doing nothing is no longer an option. It is time for organizations to mobilize and learn to detect the potential threats and implications of these attack tactics. It starts with understanding the nastiest threats facing businesses today.
Botnets: massive disruption
Botnets continued to dominate the infection attack chain in 2019. No other type of malware was responsible for delivering more ransomware and cryptomining payloads. Emotet, which was the most widespread malware in 2018, retained this notorious distinction in 2019. Although briefly shut down in June, Emotet returned from the dead in September and remains the largest botnet to date, delivering various malicious payloads. Trickbot partnered with banking Trojan groups like IcedID and Ursif in 2019. Its modular infrastructure makes it a serious threat to any network it infects and, when combined with Ryuk ransomware, this is one of the most devastating targeted attacks of 2019. Dridex was once one of the most important banking Trojans. It now acts as an implant in the infection chain with Bitpaymer ransomware and is experiencing alarming success.
The triple threat of Emotet, Trickbot and Ryuk
Ransomware has been around for almost a decade, and it's no surprise that it's still a favorite of cybercriminals. Ransomware continues to be a huge threat, adopting a more targeted model last year. Small and Medium Enterprises (SMEs) are easy prey and make up the majority of its victims. And one of the most threatening developments in ransomware comes in the form of the "triple threat" attack, involving Emotet, Trickbot, and Ryuk. In terms of financial damages, this is probably the most successful chain of 2019. With more targeted reconnaissance operations, they now assign value to specific networks after the infection extorts them accordingly after ransomware deployment. When it comes to other varieties of ransomware, GandCrab is one of the most successful examples of ransomware-as-a-service (RaaS) to date, with revenue exceeding €2 billion. While Crysis (aka Dharma) makes its second consecutive appearance on our most nasty malware list. This ransomware was actively distributed during the first half of 2019, with almost all of the infections we observed being distributed via an RDP compromise.
custom phishing
This year, the complexity and credibility of malicious email-based campaigns is increasing dramatically. Phishing has become increasingly personalized and extortion emails have begun claiming to have captured rude behavior with compromised passwords. BEC (Business Email Compromise) attacks also increased in 2019. Those responsible for sending payments or purchasing gift cards were targeted through fraudulent email accounts that falsified the identity of business executives or family parties. Victims are often forced to forego wire transfers, identify information, gift cards, and more. What many employees don't realize is that often the biggest security problem in the office is one of their colleagues, not a hacker in a remote location. A lack of best practices like poor domain management, being responsive, not proactive, reusing and sharing passwords, and a lack of multi-factor authentication means bad actors can already phish each other.
Cryptomining and Cryptojacking
Cryptojacking (also called malicious cryptomining) is an emerging online threat that hides on a computer or mobile device and uses the machine's resources to "exploit" forms of online money called cryptocurrencies. It is a threat that can take over web browsers and compromise all types of devices, from desktop computers to laptops, smartphones, and even network servers. And according to Webroot's research, these attacks rise and fall with the relative market capitalization of the cryptocurrency price. The biggest cryptojacking campaign this year was the "Retadup" attack and the most innovative was the "Hidden Bee". Hidden Bee tactics have a complex, multi-layered internal structure that is unusual among cybercrime toolkits, making it an interesting addition to the threat landscape. It appeared last year with IE exploits and has now been converted into payloads within JPEG and PNG images thanks to Steganography and WAV media format flash exploits. The additional difficulty of the analysis is introduced by the fact that the URLs and encryption keys are never reused and only work for one session. While Retadup, a cryptomining worm, first started last year and was removed in August by the French National Gendarmerie's Center for Fighting Cybercrime (C3N), after taking control of the command and control server. of malware. It sneakily uses a computer processor to mine cryptocurrency, which generates money for merchants. It is also capable of executing other types of malware such as ransomware and is usually distributed via file attachments, file sharing networks, and links to malicious websites. The peak number of infections has resulted in Retadup on over 800,000 machines simultaneously.
Address critical security vulnerabilities
These nastier threats underscore how necessary it is for a comprehensive approach to endpoint security to track these diverse and complex attack patterns more than ever. Attackers can use the same varieties of malware, but make better use of available stolen personal information for more personalized threats. Therefore, organizations should take a layered approach to security and not underestimate the power of consistent security training as they work to improve their cyber resilience and protection. After all, a company that practices good risk management not only protects its reputation, intellectual property, and data, but will also offer its customers insurance that makes them attractive to do business with.