Many people don’t know as much about personal cybersecurity as they think they do. The bad news is that misunderstanding and lack of knowledge can put you at serious risk. The good news is that in many cases simply knowing what to be wary of is enough to provide a fairly effective level of protection. Security software vendor Malwarebytes brings some needed knowledge in their Cybercrime Tactics and Techniques for Q1 2017 report.
Malware for Windows during the first three months of 2017 was all about ransomware. As can be seen in the chart below, ransomware dominated the field with adfraud coming in a distant second. Not only was ransomware preeminent, it’s frequency increased from approximately 55% to 63% of observed Windows malware from January through March. Ransomware is profitable and easy to deploy. It isn’t likely to go away anytime soon.
Just as ransomware dominated the Windows malware scene, Cerber was far and away the dominant ransomware family. In January Cerber accounted for approximately 70% of all Windows ransomware; it was at 86.98% by March while each of the other ransomware families held less than a 4% share.
One of the reasons Cerber is so popular is that it follows a ransomware-as-a-service model. Cybercriminals without technical skills can buy a complete, customized ransomware package that is ready for deployment. The victim’s files are encrypted, the ransom is paid, and the ill-gotten gains are shared between the cybercriminal that launched the attack and the developer that designed the ransomware.
Another reason Cerber is popular is because it can be difficult to detect. One way security software protects a system is by running suspicious files in a sandbox or on a virtual machine that is isolated from the rest of the system. If the files contain malware, the infection is contained in the box and can be eliminated. Near the end of March, Trend Micro reported a version of Cerber that checks to see if it’s running in a sandbox or a virtual machine, or if software from certain security vendors is present. If any of these conditions occur, the malware shuts itself down and remains undetected on the user’s system.
Malicious spam is the main delivery vehicle for malware in general and Windows is no exception. For example, the Cerber variant discovered by Trend Micro arrives in an email that contains a link to a self-extracting archive in a Dropbox account.
A social engineering tactic that has been commonly seen during the past three months is an email with a purchase or shipping notification that invites the user to click a link that leads to a malware infested website. Another is an email that includes a password that’s used to open an attached document that loads malware into the user’s system.
Ransomware was not a problem for Macs in early 2017 even though one new form of Mac ransomware was discovered lurking in the wild. FindZip was found on a piracy site posing as a crack for Microsoft Office and other programs. It’s an unsophisticated ransomware variant and thus far FindZip’s bitcoin wallet has not received any payments.
Much more troublesome for Mac users was a marked increase in malicious backdoors into MacOS. Mac backdoors can run shell commands, download and install files, steal files, steal passwords and credit card numbers by logging keystrokes, and stream video from the user’s webcam. If you want to see how hacking your webcam can hurt you, watch the brilliant episode “Shut Up and Dance” from Black Mirror’s third season.
The Mac App Store continued to be infested with potentially unwanted programs (PUPS) during early 2017. PUPS are usually nuisances but have been known to drop malware on Macs. Many of the adware, virus protection and memory or system cleaning apps in the Mac App Store are PUPS that Malwarebytes has reported to Apple. In most cases, Apple hasn’t done anything about it.
Users with iCloud accounts have been the target for sophisticated phishing attacks that include fake notices from Apple that notify the user that their account is locked, ask that the user to confirm their account, or include invoices for a purchase from iTunes or the App Store. The email directs the user to click a link that leads to spoofed Apple login pages that are very difficult to distinguish from the real thing.
Two new types of malware that use Device Administrator spread on Android during the first three months of 2017. Device Administrator was designed to let Enterprise app developers install enhanced security measures on smartphones and tablets that are used in the workplace. Cybercriminals are using it take control of Android devices.
Here’s how it works. When an app is launched, a screen pops up asking the user to activate device administration for the app. Many users don’t understand what Device Administrator is and they activate it in order to get on with what they were doing. One of Device Administrator’s capabilities allows an app to be locked so it cannot be removed from the system which lets cybercriminals install unremovable adfraud and ransomware on the user’s device.
HiddenAds.lck and Jisut are two Device Administrator hacks that were commonly seen in early 2017. HiddenAds.lck feeds unwanted ads into Android apps that generate income for the cybercriminal. Jisut is ransomware that changes the password or PIN for the lock screen. Jisut infections almost doubled from January to March.
Malwarebytes’ Cybercrime Tactics and Techniques report contains more information including advice on how to keep yourself safe and what to do if you suffer from a malware attack.