The risk associated with crimeware is underestimated, despite a continuous increase in attacks involving financially motivated malware, a new report from Alphabet-owned security firm Chronicle reveals.
Analysis of malware samples submitted to Chronicle’s VirusTotal service between January 2013 and December 2018 has revealed not only a consistent and continuous evolution of financially motivated threat actors’ toolsets, but also a decrease in the efficiency of countermeasures.
This decrease, Chronicle says, arises from a misconception around the severity of risk from crimeware. The analyzed threats include banking Trojans, ransomware, info-stealers and cryptomining malware such as GameOver Zeus and Cryptolocker, Dridex, Dyre, TrickBot, Ramnit, attacks on the SWIFT messaging network, Mirai, WannaCry, and others.
With rates of losses due to crimeware climbing, “the financial risk quantifiably outranks more sophisticated threats such as APTs,” Chronicle’s report reveals. Crimeware’s ability to disrupt businesses is already tremendous, and attacks are expected to increase in impact, scale and cost.
Increasing steadily, crimeware has “desensitized security teams,” resulting in a fatigue that in itself is a threat to organizations and which also adds to the impact crimeware has on businesses. Over time, attacks were optimized for volume and speed, increasing sophistication and targeting towards more lucrative potential victims.
The efficiency of countermeasures, on the other hand, has decreased steadily, as the attackers’ ability to adapt outpaces the ability of traditional law enforcement to find and prosecute criminals. While geographical and other factors limit law enforcement efforts, crimeware operations have more time to adapt, becoming more detrimental, Chronicle’s report notes.
In order to achieve maximum profit, the threat actors employ traditional enterprise workplace standards, and the emergence of “crimeware-as-a-service” demonstrates an ability to scale profitable enterprises. Miscreants are usually able to shift toolsets within a three-month period, to align with prime money making opportunities.
“As threat groups increased attack sophistication, organized criminal groups that initially targeted consumers switched to deploying new tactics to compromise corporate victims,” the report also notes.
An overview of the evolution of banking Trojans, ransomware, info-stealers and cryptomining malware throughout the aforementioned 6-year period shows a significant increase in all four types of crimeware in 2017 and 2018. Crypto-miners experienced the most significant growth in the first quarter of 2018, but then dropped over 50%, in line with a dive in the price of virtual currencies.
While banking Trojans and info-stealers experienced a slow but steady growth in 2013 and 2014, miners and ransomware gained little traction in the timeframe. In 2015, however, ransomware outpaced the growth of all other studied malware categories, and the massive growth continued in 2016 as well.
The number of encryptor variants of ransomware skyrocketed in 2015, with CryptoWall accounting for more than 58% of observed infections in the first six months of the year. By the end of that year, TeslaCrypt took the first position.
Chronicle also notes that 2015 revealed an increase in the targeting of business environments, a trend that continued into 2016. The number of corporate users attacked with ransomware increased nearly 6 times compared to the 2014-2015 period.
During 2016, banking Trojans lost ground in front of other threats, and Necurs dominated the landscape with massive spam campaigns, such as those distributing Locky, Cerber, Dridex, and Kovter. The first few months of 2016 were dominated by TeslaCrypt, but Locky and Cerber took over after TeslaCrypt’s operators released the master decryption key, saying they would retire.
The first half of 2016 also marked the demise of the Angler Exploit Kit, which coincided with the arrest of the “Lurk” group, which had targeted Russian financial institutions since 2011. This eventually revealed that Lurk had been operating Angler for years.
Another turning point in the evolution of crimeware was the emergence of Mirai Internet of Things (IoT)-targeting malware in late 2016. The threat was designed to ensnare IoT devices into a botnet and abuse their computing power to launch distributed denial of service attacks.
“2017 was the year of opportunity for crimeware authors. Ransomware began to crowd itself out of the market, yet new exploits allowed for wormable, destructive variants. Emotet, a dated banking trojan, would experience a renaissance and a cryptocurrency rush would fuel an 8,500% increase in mining malware deployed on victim machines,” Chronicle notes.
While Dridex campaigns dominated the first half of the year, Emotet experienced a 2,000% growth in the fourth quarter, and TrickBot, a likely derivative of Dyre, has started to appear in an increasing number of spam campaigns in the middle of the year.
Another critical turning point in the evolution of crimeware was the massive WannaCry outbreak in May 2017, which leveraged the EternalBlue SMB exploit released by the Shadow Brokers to target older, unpatched versions of Windows.
The same year, Russian state-sponsored actors launched the NotPetya attack on Ukraine, abusing not only EternalBlue, but also the EternalRomance SMB exploit from the Shadow Brokers. The destructive attack quickly spread outside Ukraine, resulting in net total damages of around $10 billion. FedEx and Maersk were among the affected organizations.
2018, on the other hand, marked the decline of both ransomware and crypto-miners, while banking Trojans such as Emotet and TrickBot gained info-stealing capabilities through highly customizable, modular frameworks, which greatly expanded their functionality.
Ransomware-as-a-Service (RaaS) had a breakout year in 2018, helped by the rise of GandCrab, and enterprise ransomware deployments went up, although the overall ransomware detections decreased by 20%.
“Crimeware has been a long-standing mainstay of the financially motivated threat actor’s toolset. […] The last six years have been a roller coaster ride of consolidation and expansion, new monetization techniques, a massively increased threat landscape, and global law enforcement action against financially motivated threat actors,” Chronicle’s report reads.
When it comes to raw samples, although different malware families might have experienced ups and downs, there is more crimeware as time progresses, Chronicle says. The highest growth in the analyzed six-year period was associated with miners, which went up 29,000% between Q1 2013 and Q1 2018.
Despite efforts from law enforcement agencies to take down malware operations, this upward trend continues and these efforts appear to have an increasingly limited impact on the activities associated with financially motivated threat actors.
“Typically, within 2 quarters, malware sample counts which were impacted by a given takedown show definitive indications of growth. […] Takedowns may also have had an added side effect of pushing financially motivated threat actors to utilize completely new tools and techniques to continue operation,” Chronicle says.