Risks associated with crimeware underestimated: Chronicle Report

A report from Alphabet-owned security firm Chronicle reveals that risks associated with crimeware are underestimated despite a continuous increase in attacks involving financially motivated malware.

Analysis of malware samples submitted to Chronicle’s VirusTotal service between January 2013 and December 2018 has revealed not only a consistent and continuous evolution of financially motivated threat actors’ toolsets, but also a decrease in the efficiency of countermeasures, the report states.

This decrease, Chronicle says, arises from a misconception around the severity of risk from crimeware.
With rates of losses due to crimeware climbing, “the financial risk quantifiably outranks more sophisticated threats such as APTs,” Chronicle’s report reveals. Crimeware’s ability to disrupt businesses is already tremendous, and attacks are expected to increase in impact, scale and cost.

Increasing steadily, crimeware has “desensitized security teams,” resulting in a fatigue that in itself is a threat to organizations and which also adds to the impact crimeware has on businesses. Over time, attacks were optimized for volume and speed, increasing sophistication and targeting towards more lucrative potential victims.

The efficiency of countermeasures, on the other hand, has decreased steadily, as the attackers’ ability to adapt outpaces the ability of traditional law enforcement to find and prosecute criminals. While geographical and other factors limit law enforcement efforts, crimeware operations have more time to adapt, becoming more detrimental, Chronicle’s report notes.

An overview of the evolution of banking Trojans, ransomware, info-stealers and cryptomining malware throughout the aforementioned 6-year period shows a significant increase in all four types of crimeware in 2017 and 2018. Crypto-miners experienced the most significant growth in the first quarter of 2018, but then dropped over 50%, in line with a dive in the price of virtual currencies, the report adds.

While banking Trojans and info-stealers experienced a slow but steady growth in 2013 and 2014, miners and ransomware gained little traction in the timeframe. In 2015, however, ransomware outpaced the growth of all other studied malware categories, and the massive growth continued in 2016 as well.

The number of encryptor variants of ransomware skyrocketed in 2015, with CryptoWall accounting for more than 58% of observed infections in the first six months of the year. By the end of that year, TeslaCrypt took the first position.

Chronicle also notes that 2015 revealed an increase in the targeting of business environments, a trend that continued into 2016. The number of corporate users attacked with ransomware increased nearly 6 times compared to the 2014-2015 period.

During 2016, banking Trojans lost ground in front of other threats, and Necurs dominated the landscape with massive spam campaigns, such as those distributing Locky, Cerber, Dridex, and Kovter. The first few months of 2016 were dominated by TeslaCrypt, but Locky and Cerber took over after TeslaCrypt’s operators released the master decryption key, saying they would retire.

The first half of 2016 also marked the demise of the Angler Exploit Kit, which coincided with the arrest of the “Lurk” group, which had targeted Russian financial institutions since 2011. This eventually revealed that Lurk had been operating Angler for years.

Another turning point in the evolution of crimeware was the emergence of Mirai Internet of Things (IoT)-targeting malware in late 2016. The threat was designed to ensnare IoT devices into a botnet and abuse their computing power to launch distributed denial of service attacks.

“2017 was the year of opportunity for crimeware authors. Ransomware began to crowd itself out of the market, yet new exploits allowed for wormable, destructive variants. Emotet, a dated banking trojan, would experience a renaissance and a cryptocurrency rush would fuel an 8,500% increase in mining malware deployed on victim machines,” Chronicle notes.

When it comes to raw samples, although different malware families might have experienced ups and downs, there is more crimeware as time progresses, Chronicle says. The highest growth in the analyzed six-year period was associated with miners, which went up 29,000% between Q1 2013 and Q1 2018.