2019 STATE OF MALWARE Executive summary Enterprises, beware. Threat actors are continuing breaches were not necessary to bring criminals their to eye businesses for high returns on investment pay day. As businesses gather and compile more in Q1 2019, breaching infrastructure, exfiltrating or data about their customers, they become ever-more holding data hostage, and abusing weak credentials attractive targets, especially as weak credentials, broad for continued, targeted monitoring. From a steadfast user access, and gaps in infrastructure allow threat increase of pervasive Trojans, such as Emotet, to a actors to practically stroll into many organizations and resurgence of ransomware lodged against corporate take with them their customers’ database. targets, cybercriminals are going after organizations with a vengeance. To that end, consumers are taking notice, and increasingly growing wary of trusting businesses with Yet every cloud has a silver lining, and for all the their PII. A survey conducted by Malwarebytes this additional effort thrown at businesses, consumer quarter shows that more than 90 percent of nearly threats are now on the decline. Ransomware 4,000 respondents feel securing their data is of highest against consumers has slowed down to a trickle and importance—yet they trust organizations, especially cryptomining, at a fever pitch against consumers this social media and search engines, about as far as they time last year, has all but died. Interestingly, this has can throw them. Because of this shift in tactics by resulted in an overall decline in the volume of malware criminals and the resulting anxiety it’s producing for detections from Q4 2018 to Q1 2019. consumers, we are adding a new section to our report While threat actors made themselves busy with challenging new victims, they ensnared targets in the old ways, using tried-and-true malspam and social about data privacy, looking at trends in data storage, transfer, exfiltration, and regulation, and exposing pitfalls that may lead to theft of user data. engineering tactics for distribution, including spear So how did we draw our conclusions for this report? As phishing emails and sextortion scams. However, a we’ve done for the last several quarterly reports, we few noteworthy developments in exploit kits and combined intel and statistics gathered from January software vulnerabilities opened the door for interesting 1 through March 31, 2019, from our Intelligence, experimentation, including a Chrome zero-day that Research, and Data Science teams with telemetry required user action for patching. from both our consumer and business products on Unfortunately, cybercriminals didn’t forget about consumers altogether—adware on Macs and mobile devices was rampant this quarter, with supply chain the PC, Mac, and mobile devices, which are deployed on millions of machines. Here’s what we learned about cybercrime in the first quarter of 2019. attacks resulting in malicious apps loading pre-installed on mobile phones. And although businesses are the new black, user data in the form of Personally Identifiable Information (PII) is still the prize, as data leaks via weak third-party security or password hygiene revealed full-fledged |3 2019 STATE OF MALWARE Key takeaways Businesses are still the prime target. Overall detections of threats to businesses have steadily risen, while consumer threats have dropped off. Business detections increased by about 7 percent from the previous quarter, while consumer detections declined by nearly 40 percent, resulting in an overall dip in malware volume of 35 percent quarter over quarter. Compared to Q1 2018, business detections have skyrocketed 235 percent, with consumer detections dropping 24 percent year over year. This reinforces the observed trend of cybercriminals focusing more on business targets today. Emotet shows no signs of stopping. Emotet, the most fearsome and dangerous threat to businesses today, has made a total shift away from consumers, reinforcing the intent of its creators to focus on enterprise targets, except for a few outlier spikes. Detections of Trojans (Emotet’s parent category) on business endpoints increased more than 200 percent from the previous quarter, and almost 650 percent from the same time last year. Ransomware is back to business. Ransomware has made a tremendous comeback against business targets in Q1 2019, with an increase of 195 percent in detections from Q4 2018 to Q1 2019. In comparison to the same time last year, business detections of ransomware have seen an uptick of over 500 percent, thanks in large part to a massive attack by the Troldesh ransomware against US organizations in early Q1. Consumer detections of ransomware died down. Meanwhile, ransomware consumer detections have continued to drop, despite activity by families such as GandCrab, which primarily targeted consumers over the last quarter as it switched to a ransomware-asa-service and began brute-forcing RDP to infiltrate systems. Consumer detections of ransomware decreased by 10 percent quarter over quarter, and by 33 percent year over year. Cryptomining against consumers is essentially extinct. Marked by the popular drive-by mining company CoinHive shutting down operations in early March, consumer cryptomining seems to have gone the way of the dodo. Detections of consumer-focused Bitcoin miners have dropped significantly over the last year and even from last quarter, while business-focused miners have increased from the previous quarter, especially in the APAC region. Adware in Macs and mobile devices was problematic. While all Mac malware saw a more than 60 percent increase from Q4 2018 to Q1 2019, adware was particularly pervasive, clocking in at over 200 percent from the previous quarter. Mobile adware detections also trended upward, as supply chain attacks delivered malware pre-installed on mobile devices. However, overall adware detections were fewer in Q1 2019 than they were during the same time period last year. Exploit authors developed some attention-grabbing techniques. A new Flash Player zero-day was discovered in Q1 and quickly implemented into popular exploit kits, including Underminer and Fallout EK, as well as a new exploit kit called Spelevor. In addition, a Chrome zeroday required users to take action, fully shutting down and restarting their browser in order to patch the vulnerability. Finally, the popular software WinRAR was being used to deliver payloads to users. As attacks against businesses ramped up, user trust in businesses to protect their data reached a new low. In a survey conducted by Malwarebytes in Q1 2019 of nearly 4,000 respondents, users expressed deep concerns about abuse, misuse, and theft of PII, especially from social media and search engine companies. In a new section of our Cybercrime Tactics and Techniques report, we examine how cybercriminals found success by exploiting infrastructure weaknesses, gaps in policy and regulation, and even corporate negligence to not only walk away with valuable data, but establish persistence within the network. |4