- While the emergence of new ransomware strains has slowed, the total number of ransomware samples is growing, fueling continued ransomware attacks, according to the latest data from McAfee Labs.
The number of ransomware samples increased 57 percent over the last four quarters, McAfee Labs Threat Report for September 2018 found.
McAfee also saw existing ransomware families spawn new variants. For example, McAfee identified a dozen new variants of the Scarab ransomware family in the second quarter of this year. These new variants account for more than half of the total number of Scarab variants identified since the family’s appearance in mid-2017.
A year after the outbreaks of the WannaCry and NotPetya ransomware attacks, new malware samples designed to exploit software vulnerabilities increased by 151 percent in the second quarter. McAfee saw the exploits from these two high-profile threats repurposed within new malware strains, and newly discovered vulnerability exploits similarly adapted to produce new threats.
“WannaCry and NotPetya provided cybercriminals compelling examples of how malware could use vulnerability exploits to gain a foothold on systems and then quickly propagate across networks,” said McAfee Advanced Threat Research Lead Scientist and Senior Principal Engineer Christiaan Beek.
“It’s still surprising to see numerous vulnerabilities from as far back as 2014 used successfully to spearhead attacks, even when there have been patches available for months and years to deflect exploits. This is a discouraging testament to the fact that users and organizations still must do a better job of patching vulnerabilities when fixes become available,” added Beek.
While ransomware samples have been increasing steadily, cryptomining malware has surged recently. New cryptomining malware samples grew an incredible 629 percent to more than 2.9 million samples in the first quarter of 2018. This trend continued in the second quarter as total samples grew by 86 percent with more than 2.5 million new samples. McAfee Labs has identified what appeared to be older malware such as ransomware retooled with cryptomining capabilities.
While cryptomining malware primarily targets PCs, other devices have become victims. For example, Android phones in China and Korea have been exploited by the ADB.Miner malware into producing Monero cryptocurrency.
“A few years ago, we wouldn’t think of internet routers, video-recording devices, and other Internet of Things devices as platforms for cryptomining because their CPU speeds were too insufficient to support such productivity,” said Beek. “Today, the tremendous volume of such devices online and their propensity for weak passwords present a very attractive platform for this activity. If I were a cybercriminal who owns a botnet of 100,000 such IoT devices, it would cost me next to nothing financially to produce enough cryptocurrency to create a new, profitable revenue stream.”
Mobile Malware on the Rise
McAfee found that new mobile malware samples increased 27 percent in the second quarter. This marks the second successive quarter of growth for mobile malware. Total mobile malware grew 42 percent in the past four quarters.
While Microsoft's task automation and configuration management framework PowerShell has been active among fileless malware developers in recent previous quarters, new samples slowed to 15 percent growth. But new LNK malware continues to grow, as cybercriminals are increasingly using .lnk shortcuts to surreptitiously deliver malicious PowerShell scripts and other malware, warned McAfee. Total samples in the category have increased 489 percent over the past four quarters.
McAfee Labs and McAfee Advanced Threat Research team discovered a vulnerability in the Cortana voice assistant in Microsoft Windows 10. The flaw, for which Microsoft released a patch in June, could have allowed attackers to execute code from the locked screen of a fully patched Windows 10 machine. McAfee addressed three vectors of research that have been combined by Microsoft and together represent CVE-2018-8140. McAfee submitted the vulnerability to Microsoft in April as part of McAfee’s responsible disclosure policy.