SMBs Are Paying the Price of Cybercrime’s Evolution
Last year, 54% of companies experienced a successful attack that compromised their data or IT infrastructure. With malware evolving at a whirlwind pace, staying ahead of the threat landscape has never been more difficult. To further complicate things, in the first half of 2018 Barkly researchers noted several fundamental shifts in cybercrime tactics. These shifts have had major implications for the types of attacks criminals are launching, and we expect them to continue to influence attack campaigns throughout the rest of 2018.
Here are three of the biggest examples we’ve identified as part of our ongoing research into cybercrime and malware campaigns at Barkly.
- Criminals are giving up on ransomware.
Businesses that have spent the last two years prioritizing defensive efforts against ransomware may be surprised to learn that the majority of criminals have moved on to more silent and stealthy attacks that are very difficult to prevent. Once the most popular payload by far, ransomware infections have dropped significantly. In October 2018, ransomware ranked as the sixth-most prevalent payload, behind miners, banking Trojans, adware, backdoors and spyware.
Why the dramatic drop? There are a variety of factors at play, but the simplest answer is that, following an initial boom, many criminals flocked to ransomware as a way to get rich quick, only to discover not enough victims were willing or able to pay. That isn’t to say ransomware has gone away completely, but the attack campaigns that are still active tend to be more targeted on specific industries such as healthcare, education, and local government, or launched from an increasingly consolidated number of “ransomware-as-a-service” operators (more on those below).
What it means for small businesses:
Investing in backups may have helped turn the tide against ransomware by providing victims with an alternative to paying, but it didn’t do anything to address the underlying issue of businesses being easily compromised in the first place. Backups do not prevent attackers from stealing sensitive information or draining resources. Now that ransomware has been supplanted by banking trojans and miners, one of the big dangers is that small businesses with limited budgets may be assuming backups are an adequate stand-in for actual protection.
In addition, the switch to stealthier payloads means companies can no longer rely on the malware to let them know they’ve been infected. Trojans, miners and backdoors are all designed to blend in with normal system activity and avoid detection for as long as possible. That completely changes the game for IT and security professionals. No longer do they need the capability to quickly isolate and recover from obvious attacks; they now need the capability to detect and pre-emptively block evasive malicious activities that would otherwise go unnoticed.
- Malware services is where the money is.
While other cybercriminals search for alternative ways to successfully monetize their attacks now that the ransomware well is drying up, some groups have pivoted their business models from taking money from victims to acting as a supplier to other criminals. Take, for example, Emotet. Formerly a stand-alone banking Trojan, it now operates primarily as a downloader for other banking trojans, and business is booming. According to researchers at Proofpoint, Emotet accounted for a third of all malicious payloads in the first quarter of 2018.
On the ransomware front, one of the most prevalent strains lately is GandCrab, a ransomware-as-a-service (RaaS) operation that allows criminals to create and customize their own variants in exchange for 30-40% of the profits.
What it means for small businesses:
As more criminals shift to providing malware service platforms, the ensuing competition is fueling an arms race. Providers of the malware services are feeling ongoing pressure to provide more features and functionality while staying a step ahead of security solutions. GandCrab and the fellow RaaS operation DBGer are two prime examples. Formerly called Satan, DBGer’s developers have continuously made improvements to the ransomware’s code and feature set, adding several lateral movement and self-propagating capabilities.
Rapid iteration is the name of the game for GandCrab and other operations like it, and that unfortunately means that small businesses are at risk of falling even further behind. IT leaders at small businesses need to stay informed and make sure their endpoint protection can keep pace by adapting alongside increasingly agile threats.
- Malware is increasingly modular.
These days it’s becoming increasingly rare for