Also, CoinMiner malware increased 117% in one cybersecurity firm’s telemetry, but declined by 13% in North America: study
The first quarter of 2021 saw cyber adversaries shift from low-return, mass-spread ransomware campaigns toward fewer, customized Ransomware-as-a-Service (RaaS) campaigns targeting larger, more lucrative organizations, according to cybersecurity firm McAfee’s telemetry.
A proliferation in 64-bit CoinMiner applications drove the growth of cryptocurrency-generating coin mining malware by 117%. Additionally, a surge in the growth of new Mirai-based malware variants drove increases in malware targeting Internet of Things (55%) and Linux (38%) systems.
According to Raj Samani, McAfee Fellow and Chief Scientist: “Criminals will always evolve their techniques to combine whatever tools enable them to best maximize their monetary gains with the minimum of complication and risk. We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see Ransomware-as-a Service (RaaS) supporting many players in these illicit schemes holding organizations hostage and extorting massive sums for the criminals.”
Summary of Q1 report
In the period of study, ransomware declined by 50% due in part to a shift by attackers from broad campaigns attacking many targets with the same samples, to campaigns attacking fewer, larger targets with unique samples. Also:
- Campaigns using one type of ransomware to infect and extort payments from many victims are notoriously ‘noisy’ in that hundreds of thousands of systems will, in time, begin to recognize and block these attacks. By allowing attackers to launch unique attacks, RaaS affiliate networks are allowing adversaries to minimize the risk of detection by large organizations’ cyber defenses and then paralyze and extort them for large ransomware payments. This shift was reflected in the decline in prominent ransomware family types from 19 in January 2021 to 9 in March 2021 in the study.
- Despite high profile attacks from the DarkSide RaaS group exposed in Q2 2021, REvil was the most detected in the Q1 metrics, followed by the RansomeXX, Ryuk, NetWalker, Thanos, MountLocker, WastedLocker, Conti, Maze and Babuk strains.
- While prominent ransomware attacks have focused attention on how criminals use ransomware to monetize their crimes with payments in cryptocurrency, a first quarter 117% surge in the spread of cryptocurrency-generating coin mining malware can be attributed to a sharp spike in 64-bit CoinMiner applications in the period of study. Rather than locking up victims’ systems and holding them hostage until cryptocurrency payments were made, Coin Miner malware infects compromised systems and silently produces cryptocurrency using those systems’ computing capacity for the criminals that designed and launched such campaigns.
- Q1 2021 saw the volume of new malware threats in the McAfee telemetry averaged 688 threats per minute, an increase of 40 threats per minute over that of Q4 2020.
- A variety of new Mirai malware variants drove increases on the Internet of Things (IoT) and Linux malware categories in Q1. The Moobot family (a Mirai variant) was observed to be mass-spread and accounted for multiple Mirai variants. These variants all exploit vulnerabilities in IoT devices like DVRs, webcams and internet routers. Once exploited, the malware is hidden on the system, downloads later stages of the malware and connects with the command-and-control server (C2). When the compromised IoT devices are connected to their botnet, they can be commandeered to participate in DDoS attacks.
- McAfee’s systems tracked a 54% increase in publicly reported cyber incidents targeting the technology sector during the period of study. The Education and Financial/Insurance sectors followed with 46% and 41% increases respectively, whereas reported incidents in Wholesale/Retail and Public Sector declined by 76% and 39% respectively in the demographic under study.
Incidents in the study demographics surged 54% in Asia and 43% in Europe, but declined 13% in North America. While reported incidents actually declined 14% in the United States, these incidents grew 84% in France and 19% in the United Kingdom.