The emergence of new global cybercriminal attack patterns

The findings of a new Malwarebytes report illustrate a significant shift in cybercriminal attack and malware methodology from previous years. Ransomware, ad fraud and botnets, the subject of so much unjustified hype over previous years, surged to measurable prominence in 2016 and evolved immensely. Cybercriminals migrated to these methodologies en masse, impacting nearly anyone and everyone.

To better understand just how drastically the threat landscape evolved in 2016, researchers examined data taken from Windows and Android devices running Malwarebytes in more than 200 countries. Both corporate and consumer environments were studied and data was collected from June 2016 through November 2016.

In the six months studied, nearly 1 billion total malware detections/incidences were reported. Data was also obtained from Malwarebytes’ internal honeypots and collection efforts to identify malware distribution, not only infection.

“To protect users from cybercriminals, we need to intimately understand their methodologies and tactics,” said Marcin Kleczynski, Malwarebytes CEO. “Our findings demonstrate that the frequency and variety of new cyberattacks has crashed into people and businesses at an alarming rate. The last year involved an onslaught of ransomware, a surge of pernicious ad fraud and new, dangerous uses for botnets. These threats have the potential to erode many of the gains that computing is providing global society. Both consumers and businesses need to better understand how these new attack methodologies may impact them.”

Ransomware grabbed headlines and became the favorite attack methodology used against businesses, particularly in North America and Europe.

• Ransomware distribution between January 2016 and November 2016 increased by 267 percent.
• In the fourth quarter of 2016 alone, we catalogued nearly 400 variants of ransomware.
• Ransomware detections accounted for 12.3 percent of all enterprise threats, but only 1.8 percent of consumer threats.
• 81 percent of ransomware detected in corporate environments occurred in North America.

Ad fraud malware, led by Kovter malware, exceeded ransomware detections at times, and poses a substantial threat to consumers and businesses.

• In 2016 we observed Kovter, one of the most dangerous malware families in the wild, primarily being used for ad fraud.
• Kovter was one of the biggest threats of this last year for Americans, more than anyone else, with 68.64 percent of all infections occurring in the U.S.
• Kovter’s change in methodology and distribution is significant because it mirrors the trends we’re seeing with surges in ransomware: Kovter and ransomware both provide a source of direct profit for the attackers.

Botnets infect and recruit Internet of Things devices to launch massive DDoS attacks.

• In 2016 we saw a new use for botnets, to compromise and infect the Internet of Things (IoT).
• Asia and Europe saw an increase in variants developed from popular botnet families. For example, the Kelihos botnet grew 785 percent in July and 960 percent in October, while IRCBot grew 667 percent in August and Qbot grew 261 percent in November.
• Germany also dealt with a substantial botnet problem. The country saw a 550 percent increase in the amount of botnet detections from 2015 to 2016.

Mobile malware evades detection from mobile security engines, resulting in an increase in the amount of mobile malware detected.

• In 2016, we observed the increased use of randomization utilized by the malware authors to evade detection from mobile security engines, resulting in an increase in the amount of mobile malware detected.
• Brazil, Indonesia, the Philippines, and Mexico made the top 10 countries for Android malware detections. The high prevalence of Android malware detections in developing countries can be attributed to the extensive use of relatively unsecured third-party app stores in those countries.

Europe is the most malware-ridden continent, and distribution of detections is telling.

• Europe saw 20 percent more infections than North America and 17 times more than Oceania.
• The countries hit hardest by malware in Europe are France, the UK, and Spain—although the Vatican City saw the steepest rise with a 1,200 percent increase in all malware.
• The UK saw almost twice as many incidents as Russia, and Russia was not in the top 10 of countries hit by ransomware, despite its size and population.
• Germany is the second-most impacted country by ransomware, following the US, supporting the theory that malware authors use Germany as a testing ground for their wares before wider distribution.

“In the last year, we have seen a huge transition in the top malware threats and how they are distributed,” said Adam Kujawa, Director of Malware Intelligence, Malwarebytes. “Attackers are always seeking the greatest possible profit, causing them to shift methodology per region and geography, based on user awareness and attack success rate. The use of ransomware and ad fraud, specifically Kovter, have taken off because they provide a source of direct profit for attackers. This is the future of cybercrime, and it is imperative that we continue to study how these methods evolve over time.”