Hackers Increasing Complex Attacks with Hack Tools, Ransomware

February 11, 2020 - Cybercriminals are ramping up attacks on business targets using diverse threats and attack strategies, as highlighted by a rapid increase of hack tool detections through unpatched vulnerabilities and a concerning number of ransomware detections, according to the new Malwarebytes Lab 2020 State of Malware Report.

Overall, the medical sector saw a 98 percent increase in threat detections as the fifth most impacted industry.

Malwarebytes collected data sets from product telemetry, intelligence, and honey pots, including real-time detections from its customers. They found for the first time, Mac threats are growing faster than Windows with twice as many detections.

But more notably, the researchers determined that hackers are increasingly improving the sophistication of their attacks and targeting businesses with force. In fact, business detections increased by nearly 1 million in 2019, or 13 percent.

Adware topped the list as the largest threat detected throughout the year, given a spike in detections against organizations during the first part of the year. Trojans, backdoors and riskware dominated throughout the year, but researchers saw a 463 percent increase in adware last year.

READ MORE: Malware Destroys Data of 30,000 Fondren Orthopedic Patients

Last year’s biggest hacking threat, trojan malware, fell to second place as detections decreased by 25 percent. Researchers saw a significant reduction in attacks in May, but still saw 2.8 million instances of Trojan malware overall.

Detection of hack tools – the manual infection of businesses through misconfigured ports or unpatched vulnerabilities – increased by a whopping 224 percent, highlighting a trend gaining popularity with hackers.

“There are also many families of malware, like Mimikatz, that use hacker tools as part of their regular operations, and this probably contributed to the category’s rise through the rankings from position 10 in 2018 to seven in 2019,” researchers wrote.

“In fact, business detections of hack tools more than tripled in number this year,” they added. “Combining both consumer and business data, there were over 1 million more hack tools detections in 2019 than in 2018. It’s clear this threat category meant business.”

There was also a 52 percent increase in riskware detections on businesses last year, while attempts decreased by 35 percent on the consumer side. Researches explained that it’s likely hackers are looking for higher returns on investment.

READ MORE: DHS CISA Alerts to Spike in Emotet Malware Cyberattacks

Ransomware was “dwarfed by other threat categories by volume,” but detections of the destructive malware are both “noticeable and concerning.” Researchers noted that many of the high-profile cyberattacks of 2019 were caused by ransomware and that although there was a 6 percent decline in detections, the concern is that the attacks are far more advance than in previous years.

Hackers leveraging ransomware are now relying on covert and sophisticated infection methods, including existing Emotet infections, to “make their presence known.” As a result, the researchers noted that it’s not that ransomware attacks are slowing, it’s that its hackers are becoming more precise.

The healthcare sector alone saw a steady stream of providers reporting EHR outages, permanent closures, and loss of data caused by severe ransomware infections.

Ryuk and Sodinokibi were the dominate ransomware variants in 2019. Ryuk was behind the DCH Health System outage in October, while Sodinokibi infected IT vendor CTS and caused outages for more than 100 dental providers in December.

Further, researchers noted that Emotet continues to be problematic across the board as the second largest threat family. While the malware quieted down over the summer, in September Emotet reemerge to hijack email content from its victims.

READ MORE: Maze Ransomware Hackers Extorting Providers, Posting Stolen Health Data

“Emotet picked back up its campaigns in the fall, targeting businesses over consumers and creating a niche for themselves in selling secondary payload access to other criminals through their existing infections,” researchers explained. “Distribution of Emotet relies on malicious phishing emails spread by the malware and its controllers.”

“One of the capabilities of Emotet includes establishing an affected system as a spam sender,” they added. “Combine its spam module functions with frequently seen secondary payloads of families that can move laterally throughout a network… and you’ve got the perfect toolkit for infecting an entire corporate network.”

Moving forward, Malwarebytes explained that organizations can expect to see an increase in hacking tools as cybercriminals work to attack organizations from all angles, to “not only infiltrate our space and steal our data but become more and more proficient at hiding from us.”

As a result, businesses will see an increase in diversification and sophistication for Windows-focused malware. Further, organizations can expect to see hybrid attacks with multi-stage payloads, where the hacker first gains access to gather information to consider the next stage of attack. This could include further infections or selling the infection to another bad actor.

Ransomware will also continue at a rapid pace given the diversification of attack vectors, including the development and prevalence of hacking tools.

“This ransomware problem isn’t going away,” researchers wrote. “We are likely to see more non-affiliated cybercriminals using tricks developed by state-sponsored malware groups (APT), as we did with EternalBlue. And if we do, we’re in for a turbulent year of cybercrime.”

“Threat actors are becoming more creative and increasingly persistent with their campaigns,” Marcin Kleczynski, Malwarebytes CEO, said in a statement. “It’s imperative that, as an industry, we continue to raise the bar in defending against these sophisticated attacks, actively protecting both users and businesses by flagging and blocking all programs that may violate their privacy, infect their devices, or even turn the infrastructure they depend on against them.”