Show Me the (Easy) Money
The encounter rate for ransomware declined by almost 60% in 2018, from 0.07% to 0.03%. Note the Microsoft defines an encounter as an instance when one of its security products reports a malware encounter. This doesn’t necessarily mean that every malware encounter resulted in an infection. The U.S. had a malware encounter rate in 2018 of 0.02%. Compare this to Ethiopia, which had a malware encounter rate of 0.77%.
Why ransomware declined in 2018 is anyone’s guess. It’s possible that end-user education and improved implementation of device backups drove down the success of ransomware attacks.
What Microsoft saw in 2018 was an increase in cryptocurrency mining. This again shows that cybercriminals are opportunistic. As the ROI on ransomware attacks declined, some of these criminals turned instead to cryptocurrency mining. Sadly, Ethiopia was again the leader in monthly encounter rates of cryptocurrency mining, at 5.58%. This same rate for the U.S., by contrast was 0.02%.
Microsoft’s Security report also highlighted the emergence of browser-based cryptocurrency mining. The danger here is that the attack can take place without any malware installation on the user’s device.
Hijacking the Software Update Process
Microsoft noted instances where cybercriminals placed malware payloads in the upload packages of applications such as PDF editors. The Petya malware outbreak of 2017 was this kind of an attack. One specific outbreak, the DoFoil attack, attempted to infect 400,000 computers in the first 12 hours after its launch.
Phishing Remains Popular
Microsoft’s Security report noted that the percentage of total inbound emails that are phishing messages increased from 0.25% early in 2018 to 0.55% at the end of 2018. This amounts to a 250% increase! Some phishing campaigns have been broad-based, while others were focused on specific companies and industries.
It turns out that cybercriminals love the cloud as well. Microsoft has seen an increase in the use of public cloud infrastructure to host the attackers’ infection sites, probably because discovery is more difficult.
The phishing methods in use will sound familiar:
- Domain spoofing
- Domain impersonation
- User impersonation
- Links to a login page where user credentials can be stolen
- Links to a cloud storage or other service location intended to capture user credentials in exchange for accessing the service
How to Battle the Bad Guys
As we have said on other occasions, a great preventative step is to exercise proper computer hygiene. This means regularly applying security updates for operating systems, applications and browsers. And if you have devices that can no longer be updated (I’m looking at you, Windows 7) you should retire those devices or otherwise isolate them from your network.
You will want to work with your users to educate them about the risks of using free or pirated software. Users should at least go to the app provider’s website or an app store. In some cases, it will make sense to host the apps in an in-house store.
No security post would be complete without mentioning multi-factor authentication. You should implement MFA at least for users with administrative privileges.
If you are an Office 365 customer, I would recommend implementing Advanced Threat Protection. This will prevent users from being compromised if they click on a suspicious URL.
It’s a good security practice to implement the principle of least privilege. This includes steps such as segmenting your network, removing local administrator privileges from end users and being careful about granting administrative permissions to applications.
You may want to whitelist applications that users can run on their devices. You could also look into conditional access policies and tools that would restrict code that can run in the operating system kernel as well as restrict code execution by unsigned scripts.
Of course, it’s always a good idea to implement regular backups. Microsoft’s “3-2-1 rule” says to keep three backups of your data on two different storage types and with one backup located off site.
Awareness and Education
Many of our customers have implemented end user training about how to spot phishing attempts. This ongoing education will continue to benefit your organization. It’s also worth educating users to report instances of their computers seeming to run excessively slowly. If you inspect the machine and find a file that seems to be occupying much of the computer’s resources, you can submit a sample of the file to Microsoft for analysis. Here’s the link.