TRENDING
Ransomware resurgence features
code innovations and new
campaign tactics
Raj Samani,
McAfee fellow and
Chief Scientist
McAfee Advanced Threat Research (ATR)
observed innovations in ransomware
campaigns, with shifts in initial access
vectors, campaign management and
technical innovations in the code.
While spearphishing remained popular,
ransomware attacks increasingly targeted
exposed remote access points, such as
Remote Desktop Protocol (RDP); these
credentials can be cracked through a brute-
force attack or bought on the cybercriminal
underground. RDP credentials can be used
to gain admin privileges, granting full rights
to distribute and execute malware on
corporate networks.
McAfee researchers also observed actors
behind ransomware attacks using anonymous
email services to manage their campaigns
versus the traditional approach of setting up
command-and-control (C2) servers.
Authorities and private partners often hunt
for C2 servers to obtain decryption keys and
create evasion tools. Thus, the use of email
services is perceived by threat actors to be
a more anonymous method of conducting
criminal business.
The most active ransomware families of the
quarter appeared to be Dharma (also known
as Crysis), GandCrab and Ryuk.
Other notable ransomware families of the
quarter include Anatova, which was exposed
by McAfee Advanced Threat Research before
it had the opportunity to spread broadly,
and Scarab, a persistent and prevalent
ransomware family with regularly discovered
new variants. Overall, new ransomware
samples increased 118%.
“After a periodic decrease in new families
and developments at the end of 2018, the
first quarter of 2019 was game on again
for ransomware, with code innovations and
a new, much more targeted approach,”
said Christiaan Beek, McAfee Lead Scientist
and Senior Principal Engineer. “Paying
ransoms supports cybercriminal businesses
and perpetuates attacks. There are other
options available to victims of ransomware.
Decryption tools and campaign information
24
INTELLIGENTCIO
“
RDP CREDENTIALS
CAN BE USED
TO GAIN ADMIN
PRIVILEGES,
GRANTING
FULL RIGHTS
TO DISTRIBUTE
AND EXECUTE
MALWARE ON
CORPORATE
NETWORKS.
are available through tools such as the No
More Ransom project.”
Q1 2019 Threats activity
Attack vectors. Malware led disclosed
attack vectors, followed by account hijacking
and targeted attacks.
Cryptomining. New coin mining malware
increased 29%. McAfee ATR observed
CookieMiner malware targeting Apple
users, attempting to obtain bitcoin wallets
credentials. As a by-product, the malware also
gained access to passwords and browsing
data. Total coin mining malware samples
grew 414% over the past four quarters.
Fileless malware. New JavaScript malware
declined 13%, while total malware grew
62% over the past four quarters. New
PowerShell malware increased 460% due to
the use of downloader scripts. Total malware
grew 76% over the past four quarters.
IoT. Cybercriminals continued to leverage
lax security in IoT devices. New malware
samples increased 10%; total IoT malware
grew 154% over the past four quarters.
Malware overall. New malware samples
increased by 35%. New Mac OS malware
samples declined by 33%.
Mobile malware. New mobile malware
samples decreased 15%, total malware
grew 29% over the past four quarters.
Security incidents. McAfee Labs counted
412 publicly disclosed security incidents, an
www.intelligentcio.com