Cybercrime business models are evolving. Small businesses are paying the price.
Last year, 54% of companies experienced a successful attack that compromised their data or IT infrastructure. With malware evolving at a whirlwind pace, staying ahead of the threat landscape has never been more difficult. To further complicate things, in the first half of 2018 Barkly researchers noted several fundamental shifts in cybercrime tactics. These shifts have had major implications for the types of attacks criminals are launching, and we expect them to continue to influence attack campaigns throughout the rest of 2018.
Here are three of the biggest examples we’ve identified as part of our ongoing research into cybercrime and malware campaigns at Barkly.
1) Criminals are giving up on ransomware
What’s changing:
Businesses that have spent the last two years prioritizing defensive efforts against ransomware may be surprised to learn that the majority of criminals have moved on to more silent and stealthy attacks that are very difficult to prevent. Once the most popular payload by far, ransomware infections have dropped 50% in the past 12 months.
Why the dramatic drop? There are a variety of factors at play, but the simplest answer is that, following an initial boom, many criminals flocked to ransomware as a way to get rich quick, only to discover not enough victims were willing or able to pay. That isn’t to say ransomware has gone away completely, but the attack campaigns that are still active tend to be more targeted on specific industries such as healthcare, education, and local government, or launched from an increasingly consolidated number of “ransomware-as-a-service” operators (more on those below).
What it means for small businesses:
Investing in backups may have helped turn the tide against ransomware by providing victims with an alternative to paying, but it didn’t do anything to address the underlying issue of businesses being easily compromised in the first place. Backups do not prevent attackers from stealing sensitive information or draining resources. Now that ransomware has been supplanted by banking trojans and miners, one of the big dangers is that small businesses with limited budgets may be assuming backups are an adequate stand-in for actual protection.
In addition, the switch to stealthier payloads means companies can no longer rely on the malware to let them know they’ve been infected. Trojans, miners, and backdoors are all designed to blend in with normal system activity and avoid detection for as long as possible. That completely changes the game for IT and security professionals. No longer do they need the capability to quickly isolate and recover from obvious attacks, they now need the capability to detect and preemptively block evasive malicious activities that would otherwise go unnoticed.
2) Malware services is where the money is
What’s changing:
While other cybercriminals search for alternative ways to successfully monetize their attacks now that the ransomware well is drying up, some groups have pivoted their business models to center around taking money not from victims, but as a supplier to other criminals, instead. Take, for example, Emotet. Formerly a standalone banking Trojan, it now operates primarily as a downloader for other banking trojans, and business is booming. According to researchers at Proofpoint, Emotet accounted for a third of all malicious payloads in Q1 2018.
On the ransomware front, the most prevalent strain by far this year is GandCrab, a ransomware-as-a-service (RaaS) operation that allows criminals to create and customize their own variants in exchange for 30-40% of the profits.
What it means for small businesses:
As more criminals shift to providing malware service platforms, the ensuing competition is fueling an arms race. Providers of the malware services are feeling ongoing pressure to provide more features and functionality while staying a step ahead of security solutions. GandCrab and the fellow RaaS operation DBGer are two prime examples. Formerly called Satan, DBGer’s developers have continuously made improvements to the ransomware’s code and feature set, adding several lateral movement and self-propagating capabilities.
Rapid iteration is the name of the game for GandCrab and other operations like it, and that unfortunately means that small businesses are at risk of falling even further behind. IT leaders at small businesses need to stay informed and make sure their endpoint protection can keep pace by adapting alongside increasingly agile threats.
3) Malware is increasingly modular
What’s changing:
These days it’s becoming increasingly rare for attackers to utilize their own custom malware at every stage during an attack. Instead, the majority of attacks are conducted utilizing a variety of plug-and-play tools and payloads that each have their own specialty and play a specific role. For example, a single attack campaign can consist of an initial downloader charged with gaining an initial foothold, a banking Trojan payload designed to steal credentials and drain bank accounts, and an additional cryptominer payload that serves as a subsequent way of monetizing the infection. Each individual component can be easily purchased, rented, or, in some cases, even downloaded for free from GitHub.
What it means for small businesses:
The fallacy that only large corporations need to worry about advanced attacks is becoming more inaccurate by the day. Two-thirds of the organizations we’ve spoken with say the sophistication level of the attacks they’re seeing has steadily risen over the past 12 months. That is in part due to how easy it has become to piece together attacks incorporating the latest exploits and evasive techniques.
In addition to facing more pressure to patch their systems and update their security more quickly, small businesses also have to operate under the impression that if they do become infected with malware they may be dealing with more than one type of infection.
Investing in security that is resilient to change
Staying on top of all of these changes is an uphill battle IT leaders at SMBs frankly don’t have time for. That’s why, when investing in new security solutions, it is important for organizations to select products that are built to adapt to new threats as quickly as possible. Better yet, investing in solutions that detect and block the core fundamental behaviors that all attacks rely on can give IT leaders the confidence knowing their organization is protected no matter how rapidly attacks evolve.
