Recent trends in cybersecurity show that Ransomware-as-a-Service (RaaS) campaigns are going away from the widely targeted, low-return approach toward fewer, more customized, and potentially more lucrative RaaS campaigns directed at larger organizations. 

 

ransomware decreases

 

64-bit CoinMiner applications has caused cryptocurrency-generating coin mining malware to grow significantly. Moreover, new Mirai-based malware variants drove increases in malware targeting IoT (55 percent of attack) and Linux (38 percent) systems.

Cybercriminals will naturally adjust their techniques to use whatever tools they gain to maximize their gain while minimizing the risks, costs, and complications of their campaigns.

Ransomware was commonly used to obtain small payments from millions of individual victims. But now many criminals are trying to extort larger organizations out of large sums of money. The Colonial pipeline breach in 2021 is one example.

Ransomware decreases

Ransomware declined in the early part of 2021 as a result of the shift from wide-net campaigns attacking many individual entities with the same samples to more custom campaigns attacking fewer but larger targets with unique samples.

Campaigns that use one type of ransomware to infect and extort payments from many victims are difficult to sustain. Literally hundreds of thousands of systems will start to recognize and block these attacks in time.

By enabling unique attacks, RaaS affiliate networks minimize the risk of detection by large companies’ cyber defenses. They will then work to infect their systems, disrupt business operations, and extort them for large ransom payments.

This shift is reflected by the decline in prominent ransomware family types from observed in the 2021 data.

Despite the high profile attacks from the DarkSide RaaS group exposed in Q2 2021, the following were the most detected, in order of most common to less:

  • REvil
  • RansomeXX
  • Ryuk
  • NetWalker
  • Thanos
  • MountLocker
  • WastedLocker
  • Conti
  • Maze
  • Babuk

Cryptocurrency mining malware

Prominent ransomware attacks have brought a lot of mainstream attention on how criminals use ransomware to monetize their crimes. Payments are generally demanded in cryptocurrency, which can help keep payments anonymous and has emerged as its own alternative asset class.

The first half of 2021 saw a big surge in the spread of cryptocurrency-generating coin mining malware. This is due to a sharp spike in 64-bit CoinMiner applications.

Coin Miner malware operates by infecting breached systems and stealthly produces cryptocurrency using those systems’ computing capacity for the cybercriminals that designed and launched such campaigns. This contrasts to locking up victims’ systems and unfreezing them (or not) when cryptocurrency payments are made.

64-bit CoinMiner provides the advantage of cybercriminals not needing to communicate with the victim. Sometimes the victim is not even away that their computer system has been hijacked to create monetary value for criminals.

This is yet another example of why the banning of cryptocurrencies is more of a topic and why they’re a concern societally, given the nature of ransomware, money laundering, and other criminal activity.

At the same time, cyber offense is ahead of cyber defense. Even if cryptocurrencies are heavily curtailed cybercriminals will find ways to stay ahead of governments and defenders.

Threats and victims

Malware threats. New malware threats numbers 688 threats per minute in Q1 2021, more than the 648 of Q4 2020, a 6% q/q rise.

Industry sectors. The tech sector saw a 54% q/q increase, followed by education (46%), and financial and insurance (41%). Retail and government fell by 76% and 39%, respectively.

IoT and Linux devices. New Mirai malware variants caused increases on the IoT and Linux malware categories. Marai variants like the Moobot family was observed to have spread widely and accounted for multiple Mirai variants. These variants exploit vulnerabilities in IoT devices like routers, webcams, and DVRs. Once breached, the malware is latent in the system. It downloads new versions of the malware and connects with the C2 server. When the infected IoT devices are connected to their botnet, they can be used to participate in DDoS attacks.

Regions. Malware incidents went up 54% in Asia and 43% in Europe, but declined 13% in North America. Reported malware threats declined 14% in the United States. But such incidents grew by 84% in France and 19% in the UK.