This year’s second quarter witnessed a lull in cybercrime, but cybercriminals continue to experiment with ransomware, according to Malwarebytes Labs in its second quarter report.
Malware activity posted a decrease in both business and consumer categories in the second quarter, the report noted. But while the volume of activity was lower, the quality of the attacks was anything but.
Malwarebytes Labs based its conclusions on data from April through June along with telemetry from its business and consumer products that are used in millions of machines.
Malware Sophistication Rises
Ransomware and cryptomining demonstrated a greater level of sophistication in the second quarter.
Cryptomining, for its part, took the lead in consumer detections for the quarter, followed by adware. Adware, for its part, rose by 19% in the quarter.
Spyware activity dropped from the lead business detection to number five, shedding 40% in its activity, while banking Trojans held on to the number two spot, even though detections in this segment fell in half.
Backdoor Detections Increase
Backdoor detections, however, jumped in both the consumer and business sectors, as consumer detections rose by 442%.
A spike in backdoor malware detections is believed to be due to a campaign Malwarebytes Labs refers to as Backdoor.Vools. The malware is usually noticed installing cryptocurrency miners after communicating with a command and control server.
The WannaCry and NotPetya outbreaks in 2017 have yet to be matched in impact and distribution volume, the report said, but attacks from VPNFilter, SamSam and others indicate higher level attacks could be in store for the balance of the year.
VPNFilter malware, which drops multi-stage actions on consumers and small offices by the hundreds of thousands, posted an increase, generating half a million detections in the quarter.
VPNFilter is able to remain undetected by modern security tools. In addition to gaining passwords and usernames, it can add artificial data to deceive users while stealing information. The malware can also conduct DDoS attacks or install other software.
SamSam, for its part, destroyed files for the city of Atlanta and attacked Hancock Health, and it remains evasive on account of the targeted manner that attackers use to deliver it. SamSam is believed to have taken in more than $1 million. The group behind it is believed to study potential targets to learn the value of their information. They then price the recovery in a way that makes recovery a more economical option for the victim.
GrandCrab was cited as the leading ransomware variant, waged via email. The variant has moved to the Magnitude exploit kit for distribution. Magnitude has started to deploy a fileless technique for loading the ransomware payload, which makes it harder to detect.
Client side and server side cryptomining continue due to content management system vulnerabilities the report noted. It is not easy to upgrade a CMS on account of plugins, themes and other functions that can stop working when the core is updated.
Criminals Target Personal Data
Cybercriminals are also focusing more on personally identifiable information (PII) the report noted.
Malwarebytes Labs first noticed scammers stealing PII in bitcoin scams. Bitcoin, the report noted, is largely unregulated, has limited fraud protection, and the exchanges have poor support.
Because user awareness of scams has increased, scammers are trying to steal email accounts, passwords and bank account information.
The European Union’s new General Data Protection Regulation laws are also believed to be raising interest in PII theft since such data is popular on the black market.
Malwarebytes Labs offers a more extensive report on cybercrime tactics and techniques for the second quarter on its website.
Featured image from Shutterstock.