Story image

Ransomware decreases as criminals customise attacks on larger, more lucrative targets - McAfee Report

By Ryan Morris-Reade, Fri 25 Jun 2021

McAfee has released its latest cybersecurity report, McAfee Threats Report: June 2021, analysing cybercriminal activity related to malware and cyber threats in the first quarter of 2021.

According to the report, the first quarter saw cybercrimes move from low-return, mass-spread ransomware campaigns, to fewer, and more customised Ransomware-as-a-Service (RaaS) campaigns that target larger organisations for a more lucrative return. 

An upsurge in 64-bit Coinminer applications grew cryptocurrency-generating coin mining malware by 117%. And a proliferation of new Mirai-based malware variants, meant an increase of malware targeting Internet of Things (55%) and Linux (38%) systems.

“Criminals will always evolve their techniques to combine whatever tools enable them to best maximise their monetary gains with the minimum of complication and risk,” says McAfee fellow and chief scientist, Raj Samani. 

“We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see Ransomware as a Service supporting many players in these illicit schemes, holding organisations hostage and extorting massive sums for the criminals.”

McAfee assesses the state of the cyber threat landscape for each quarter based on in-depth research, investigative analysis, and threat data gathered by the McAfee Global Threat Intelligence cloud, which has over a billion sensors across multiple threat vectors around the world.

The report found that ransomware declined by 50% in Q1, partly because of a shift by attackers from broad campaigns with many targets using the same samples, to campaigns attacking fewer, larger targets with unique samples. Campaigns using one type of ransomware to infect and extort payments from many victims are notoriously “noisy” meaning hundreds of thousands of systems will in time begin to recognise and block these attacks. 

McAfee says by allowing attackers to launch unique attacks, RaaS affiliate networks are allowing adversaries to minimise the risk of detection by large organisations’ defences, and then paralyse and extort them for large ransomware payments. 

This shift is reflected by the decline in prominent ransomware family types from 19 in January 2021 to 9 in March 2021. 

REvil was the most detected ransomware in Q1, in spite of the high profile attacks from the DarkSide RaaS group in Q2 2021. This was followed by the RansomeXX, Ryuk, NetWalker, Thanos, MountLocker, WastedLocker, Conti, Maze, and Babuk strains.

Although prominent ransomware attacks tend to focus attention on how criminals use ransomware to monetise crimes with payments in cryptocurrency, a first quarter 117% surge in the spread of cryptocurrency-generating coin mining malware can be attributed to sharp growth in 64-bit CoinMiner applications.

“The takeaway from the ransomware and coin miner trends shouldn’t be that we need to restrict or even outlaw the use of cryptocurrencies,” says Samani.

“If we’ve learnt anything from the history of cybercrime, criminals counter defenders’ efforts by simply improving their tools and techniques, sidestepping government restrictions, and always being steps ahead of defenders in doing so. If there are efforts to restrict cryptocurrencies, perpetrators will develop new methods to monetise their crimes, and they only need to be a couple steps ahead of governments to continue to profit.”

Key highlights of the report:

  • The first quarter of 2021 saw the volume of new malware threats average 688 threats per minute, an increase of 40 threats per minute over Q4 2020.
  • A host of new Mirai malware variants drove increases on the Internet of Things and Linux malware categories in Q1. These variants all exploit vulnerabilities in IoT devices like DVRs, webcams, and internet routers. When the compromised IoT devices are connected to their botnet, they can be commandeered to participate in DDoS attacks.
  • McAfee tracked a 54% increase in publicly reported cyber incidents targeting the technology sector during the first quarter of 2021. The Education and Financial/Insurance sectors followed with 46% and 41% increases respectively, whereas reported incidents in Wholesale/Retail and Public Sector declined by 76% and 39% respectively.
  • These incidents surged in 54% in Asia and 43% in Europe, but declined 13% in North America. And while reported incidents actually declined 14% in the United States, these incidents grew 84% in France and 19% in the United Kingdom.
Recent stories
More stories