1. The number of users encountering ransomware fell by almost 30% from 2016-2017 to 2017-2018, while the proportion of users encountering ransomware out of all malware also declined.
2. Cryptocurrency mining is rising as cybercriminals turn away from ransomware towards more sustainable profits from mining.
3. The main ransomware actors shifted in 2017-2018, with WannaCry responsible for 50% of attacks compared to a more diverse landscape in 2016-2017.
4. Countries with the highest rates of ransomware attacks changed over the period, with Thailand, UAE, and Iran topping the list in 2017-2018 while attacks declined in countries like Turkey.
Once again, it’s time for Kaspersky to deliver our customary retrospective of the key events that have defined the threat landscape in 2013. Let’s start by looking back at the things we thought would shape the year ahead, based on the trends we observed in the previous year.
Symantec (ISTR) Internet Security Threat Report Volume 22CheapSSLsecurity
Symantec’s Internet Security Threat Report (ISTR) demonstrates how simple tactics and innovative cyber criminals led to unprecedented outcomes in global threat activity.
Once again, it’s time for Kaspersky to deliver our customary retrospective of the key events that have defined the threat landscape in 2013. Let’s start by looking back at the things we thought would shape the year ahead, based on the trends we observed in the previous year.
Symantec (ISTR) Internet Security Threat Report Volume 22CheapSSLsecurity
Symantec’s Internet Security Threat Report (ISTR) demonstrates how simple tactics and innovative cyber criminals led to unprecedented outcomes in global threat activity.
Internet Security Threat Report (ISTR) GovernmentSSLRenewals
Internet Security Threat Report (ISTR) details how simple tactics and innovative cyber criminals led to unprecedented outcomes in global threat activity. Credit - Symantec
About SSL Security -
https://www.sslrenewals.com
Symantec Intelligence Report - Oct 2015CheapSSLUSA
Explore this PDF to know Symantec intelligence report for OCT 2015 from Symantec Global Intelligence Network.
Enjoy this report and feel free to contact us with any comments or feedback.
Important points you have to note down from this report:
- The number of new malware
- Spam have been increasing over the last few month
- Finance, Insurance, & Real Estate sector was the most targeted sector in OCT month
NETSCOUT Arbor released its 2018 NETSCOUT Threat Intelligence Report offering globally scoped internet threat intelligence together with the analysis of our security research organization. The report covers the latest trends and activities from nation-state advanced persistent threat (APT) groups, crimeware operations and Distributed Denial of Service (DDoS) attack campaigns.
Did you know that mobile phones are becoming even more targeted by hackers than computers are? Check out these facts you may not have known about mobile security.
Every year Group IB releases reports on the development of high tech and cyber-crime, describing new tendencies and interesting emerging trends from recent months and forecasting future threats. This report covers the second half of 2014 and the first half of 2015.
In last year’s report we primarily forecast the increase in targeted attacks on banks. This has been mostly accurate and accordingly, in the second half of last year, the Anunak hacking group, also known as Carbanak, carried out a series of thefts for hundreds of millions of Rubles from the banking sector. However, after the publication of the co-authored Group IB and Fox-IT report, which outlined the group’s methodology, they ceased their activity.
Despite this, as predicted, new hacking groups have appeared conducting similar attacks, for example, the much discussed targeted attack on a Kazan based bank, which resulted in volatility on the currency exchange market of over 10 Rubles to the US Dollar for a short period.
Our predictions of increased attacks on ATMs were also correct. Group IB has discovered new Trojans and insider fraud, and also new equipment, including Blackbox, a tool which hackers developed and installed on cash machines, allowing them to receive remote access to systems.
Following research and analysis of the threats to mobile devices, Group IB predicted an increase in the amount of mobile Trojans that allow hackers to automatically transfer money from bank accounts, sidestepping the most advanced bank security systems. This prediction was correct in assessing the speed of development in this area of fraud and accordingly we have allocated a specific section of this year’s report to this growing issue.
Another major forecast was a decrease in the amount of thefts from individuals, using Trojans which reroute users to phishing sites. Thanks to the arrest of participants in one of the most aggressive hacking groups using this scheme, the amount of thefts was not just lowered but completely stopped. More details are provided in the Group IB completed investigations and arrested criminals section of this report.
We also predicted an increase in the attacks on Russian internet and digital resources by hacktivists and again were correct. Hackers affiliated with ISIS carried out over 600 attacks which Group IB analysed and assessed in a separate report on their international activity.
Ransomware continues to be a major threat. This slidedeck looks at the first six months of 2017, examines why enterprises are being increasingly impacted by ransomware, and reviews the effect of high-profile incidents such as WannaCry and Petya.
For more on this area, read Symantec Security Response's blog and whitepaper: https://www.symantec.com/connect/blogs/businesses-most-risk-new-breed-ransomware
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted...eraser Juan José Calderón
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth
Sergio Pastrana
Universidad Carlos III de Madrid*
Guillermo Suarez-Tangil
King’s College London
Abstract—Illicit crypto-mining leverages resources stolen from
victims to mine cryptocurrencies on behalf of criminals. While recent works have analyzed one side of this threat, i.e.: web-browser
cryptojacking, only white papers and commercial reports have
partially covered binary-based crypto-mining malware. In this
paper, we conduct the largest measurement of crypto-mining
malware to date, analyzing approximately 4.4 million malware
samples (1 million malicious miners), over a period of twelve
years from 2007 to 2018. Our analysis pipeline applies both static
and dynamic analysis to extract information from the samples,
such as wallet identifiers and mining pools. Together with OSINT
data, this information is used to group samples into campaigns.
We then analyze publicly-available payments sent to the wallets
from mining-pools as a reward for mining, and estimate profits
for the different campaigns.
Our profit analysis reveals campaigns with multi-million earnings, associating over 4.3% of Monero with illicit mining. We
analyze the infrastructure related with the different campaigns,
showing that a high proportion of this ecosystem is supported by
underground economies such as Pay-Per-Install services. We also
uncover novel techniques that allow criminals to run successful
campaigns.
Internet Security Threat Report (ISTR) GovernmentSSLRenewals
Internet Security Threat Report (ISTR) details how simple tactics and innovative cyber criminals led to unprecedented outcomes in global threat activity. Credit - Symantec
About SSL Security -
https://www.sslrenewals.com
Symantec Intelligence Report - Oct 2015CheapSSLUSA
Explore this PDF to know Symantec intelligence report for OCT 2015 from Symantec Global Intelligence Network.
Enjoy this report and feel free to contact us with any comments or feedback.
Important points you have to note down from this report:
- The number of new malware
- Spam have been increasing over the last few month
- Finance, Insurance, & Real Estate sector was the most targeted sector in OCT month
NETSCOUT Arbor released its 2018 NETSCOUT Threat Intelligence Report offering globally scoped internet threat intelligence together with the analysis of our security research organization. The report covers the latest trends and activities from nation-state advanced persistent threat (APT) groups, crimeware operations and Distributed Denial of Service (DDoS) attack campaigns.
Did you know that mobile phones are becoming even more targeted by hackers than computers are? Check out these facts you may not have known about mobile security.
Every year Group IB releases reports on the development of high tech and cyber-crime, describing new tendencies and interesting emerging trends from recent months and forecasting future threats. This report covers the second half of 2014 and the first half of 2015.
In last year’s report we primarily forecast the increase in targeted attacks on banks. This has been mostly accurate and accordingly, in the second half of last year, the Anunak hacking group, also known as Carbanak, carried out a series of thefts for hundreds of millions of Rubles from the banking sector. However, after the publication of the co-authored Group IB and Fox-IT report, which outlined the group’s methodology, they ceased their activity.
Despite this, as predicted, new hacking groups have appeared conducting similar attacks, for example, the much discussed targeted attack on a Kazan based bank, which resulted in volatility on the currency exchange market of over 10 Rubles to the US Dollar for a short period.
Our predictions of increased attacks on ATMs were also correct. Group IB has discovered new Trojans and insider fraud, and also new equipment, including Blackbox, a tool which hackers developed and installed on cash machines, allowing them to receive remote access to systems.
Following research and analysis of the threats to mobile devices, Group IB predicted an increase in the amount of mobile Trojans that allow hackers to automatically transfer money from bank accounts, sidestepping the most advanced bank security systems. This prediction was correct in assessing the speed of development in this area of fraud and accordingly we have allocated a specific section of this year’s report to this growing issue.
Another major forecast was a decrease in the amount of thefts from individuals, using Trojans which reroute users to phishing sites. Thanks to the arrest of participants in one of the most aggressive hacking groups using this scheme, the amount of thefts was not just lowered but completely stopped. More details are provided in the Group IB completed investigations and arrested criminals section of this report.
We also predicted an increase in the attacks on Russian internet and digital resources by hacktivists and again were correct. Hackers affiliated with ISIS carried out over 600 attacks which Group IB analysed and assessed in a separate report on their international activity.
Ransomware continues to be a major threat. This slidedeck looks at the first six months of 2017, examines why enterprises are being increasingly impacted by ransomware, and reviews the effect of high-profile incidents such as WannaCry and Petya.
For more on this area, read Symantec Security Response's blog and whitepaper: https://www.symantec.com/connect/blogs/businesses-most-risk-new-breed-ransomware
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted...eraser Juan José Calderón
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth
Sergio Pastrana
Universidad Carlos III de Madrid*
Guillermo Suarez-Tangil
King’s College London
Abstract—Illicit crypto-mining leverages resources stolen from
victims to mine cryptocurrencies on behalf of criminals. While recent works have analyzed one side of this threat, i.e.: web-browser
cryptojacking, only white papers and commercial reports have
partially covered binary-based crypto-mining malware. In this
paper, we conduct the largest measurement of crypto-mining
malware to date, analyzing approximately 4.4 million malware
samples (1 million malicious miners), over a period of twelve
years from 2007 to 2018. Our analysis pipeline applies both static
and dynamic analysis to extract information from the samples,
such as wallet identifiers and mining pools. Together with OSINT
data, this information is used to group samples into campaigns.
We then analyze publicly-available payments sent to the wallets
from mining-pools as a reward for mining, and estimate profits
for the different campaigns.
Our profit analysis reveals campaigns with multi-million earnings, associating over 4.3% of Monero with illicit mining. We
analyze the infrastructure related with the different campaigns,
showing that a high proportion of this ecosystem is supported by
underground economies such as Pay-Per-Install services. We also
uncover novel techniques that allow criminals to run successful
campaigns.
Ransomware-as-a-Service: The business of distributing cyber attacksΔρ. Γιώργος K. Κασάπης
Ransomware is proving to be a profitable endeavor for cyber criminals. It is also what is fueling a newer trend: the business of offering management of ransomware attacks, or Ransomware-as-a-Service (RaaS).
Fueled in part by the ability to use cryptocurrency to avoid detection, cyber criminals are setting up shop as a managed service provider, helping other cyber criminals conduct business on their platforms for a fee. For that fee, cyber criminal groups get personalize access to platforms, complete with dashboard capabilities, that allow them to easily distribute their ransomware. Also included – technical support. Such full-service offerings mean that nearly anyone with internet access can launch a ransomware attack without any technical knowledge needed.
And why not? The estimated return on investment from ransomware campaigns can easily reach 1400%. The lure of a lucrative return could well attract beginners or anyone with a grudge. For organizations, the threat coming from a well-backed beginner is as damaging as one coming from a career criminal.
The average enterprise ransom payment soared to over $100,000, with demands averaging a cool $5.3 million. But here's the kicker: 80% of organizations have a "Do-Not-Pay" policy, and yet, 41% ended up paying the ransom last year. And for those thinking insurance might save the day, think again. A whopping 77% of organizations found out the hard way that ransomware is the party crasher not covered by their security insurance. It's like showing up to a hurricane with an umbrella.
With Ransomware as a Service (RaaS) making it easier for any wannabe cybercriminal to join the fun, we can only expect more chaos, more victims, and more snarky retellings like this one. So, here's to 2023, a year that will be remembered not for technological breakthroughs or cyber defense victories, but for the sheer audacity and success of ransomware groups. May 2024 be a bit less... successful for them.
Cybersecurity Trends 2018: The costs of connectionESET Middle East
To help the reader navigate through the maze of current threats, ESET’s thought leaders have zeroed in on several areas that top the priority list in our exercise in looking forward.
This report solely belongs to Symantec. Credit is due to all original authors and no financial gain was made from the report, Simply sharing for educational purposes,
Similar to Ksn report ransomware-and-malicious-cryptominers (20)
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
2. 2
Contents
KSN Report:.......................................................................................... 1
Ransomware and malicious cryptominers 2016-2018 ....................... 1
Executive summary and main findings................................................. 3
Introduction: A disappearing species - a brief look at ransomware
decline over a year .............................................................................. 5
Game changer – how cryptocurrency miners beat them all......... 18
Part 1. PC miners............................................................................. 18
Part 2. Mobile miners....................................................................... 24
Part 3. Between black and white: are risk tools replacing
malware?.......................................................................................... 29
Conclusions and predictions.............................................................. 33
Fighting back ..................................................................................... 34
3. 3
Executive summary and main findings
Ransomware is not an unfamiliar threat. For the last few years it has been affecting the
world of cybersecurity, infecting and blocking access to various devices or files and
requiring users to pay a ransom (usually in Bitcoins or another widely used e-currency),
if they want to regain access to their files and devices.
The term ransomware covers two main types of malware: so-called window blockers (which
block the OS or browser with a pop-up window) and cryptors (which encrypt the user’s data).
The term also encompasses select groups of Trojan-downloaders, namely those that tend to
download encryption ransomware once a PC is infected.
Kaspersky Lab has a tradition of reporting on the evolution of ransomware – and you
can find previous reports on the threat here and here.
This year, however, we came across a huge obstacle in continuing this tradition. We
have found that ransomware is rapidly vanishing, and that cryptocurrency mining is
starting to take its place.
The architecture of cryptocurrencies assumes that, in addition to purchasing
cryptocurrency, a user can create a new currency unit (or coin) by harnessing the
computational power of machines that have specialized ‘mining’ software installed on
them.
Cryptocurrency mining is the process of creating these coins – it happens when various
cryptocurrency transactions are verified and added to the digital blockchain ledger. The
blockchain, in its turn, is a chain of successive blocks holding recorded transactions
such as who has transferred bitcoins, how many, and to whom. All participants in the
cryptocurrency network store the entire chain of blocks with details of all of the
transactions that have ever been made, and participants continuously add new blocks to
the end of the chain.
Those who add new blocks are called miners, and in the Bitcoin world, as a reward for
each new block, its creator currently receives 12.5 Bitcoins. That’s approximately
$30,000 according to the exchange rate on July 1, 2017. You can find out more about
the mining process here.
Given the above, this report will examine what is hopefully ransomware’s last breath, in
detail, along with the rise of mining. The report covers the period April 2017 to March
2018, and compares it with April 2016 – March 2017.
Methodology:
This report has been prepared using depersonalized data processed by Kaspersky
Security Network (KSN). The metrics are based on the number of distinct users of
Kaspersky Lab products with the KSN feature enabled, who encountered ransomware
and cryptominers at least once in a given period, as well as research into the threat
landscape by Kaspersky Lab experts.
4. 4
Main findings:
• The total number of users who encountered ransomware fell by almost 30%, from
2,581,026 in 2016-2017 to 1,811,937 in 2017-2018;
• The proportion of users who encountered ransomware at least once out of the total
number of users who encountered malware fell by around 1 percentage point, from
3.88% in 2016-2017 to 2.80% in 2017-2018;
• Among those who encountered ransomware, the proportion who encountered
cryptors fell by around 3 percentage points, from 44.6% in 2016-2017 to 41.5% in
2017-2018;
• The number of users attacked with cryptors almost halved, from 1,152,299 in 2016-
2017 to 751,606 in 2017-2018;
• The number of users attacked with mobile ransomware fell by 22.5% from 130,232 in
2016-2017 to 100,868 in 2017-2018;
• The total number of users who encountered miners rose by almost 44.5% from
1,899,236 in 2016-2017 to 2,735,611 in 2017-2018;
• The share of miners detected, from the overall number of threats detected, also grew
from almost 3% in 2016-2017 to over 4% in 2017-2018;
• The share of miners detected, from overall risk tool detections, is also on the rise –
from over 5% in 2016-2017 to almost 8% in 2017-2018;
• The total number of users who encountered mobile miners also increased – but at a
steadier pace, growing by 9.5% from 4,505 in 2016-2017 to 4,931 in 2017-2018.
5. 5
Introduction: A disappearing species - a brief
look at ransomware decline over a year
Early 2017 witnessed a dangerous trend: cybercriminals started to turn their attention away
from attacks against private users, to targeted ransomware attacks against businesses.
Focusing mainly on financial organizations worldwide, ransomware actors were hunting new
and more profitable victims. On the one hand, this change led to ransomware being the ‘story
of the year’. On the other hand, this change turned out to be more of an isolated surge than a
trend.
The past year’s most remarkable ransomware trend was the rapid spread of threats such as
Wannacry and Badrabbit. These were global epidemics that triggered a huge peak in the
number of ransomware victims in a very short space of time. Taking a closer look, we found
that ransomware was also used by advanced threat actors to mount attacks for data
destruction, rather than for pure financial gain.
However, our quarterly analysis also showed us that ransomware was leaving the scene: see
here for more information.
This discovery led us to speculate whether the ransomware business model was starting to
crack. Was there a more lucrative alternative for cybercriminals looking to make money?
What could it be? Our guess was that criminals were starting to turn their backs on
ransomware, to focus on cryptocurrency mining instead.
Kaspersky Lab’s threat predictions for cryptocurrencies in 2018, suggested a rise in targeted
attacks for the purpose of installing miners. While ransomware can provide cybercriminals
with potentially large but one-off rewards in a turbulent landscape, miners might make less
money out of their victims, but through a more sustainable/ longer-term model.
PC ransomware
The numbers for the observed period prove the above theory.
The total number of users who encountered ransomware over the12 month period from April
2017 to March 2018 fell by almost 30% in comparison to the previous year: April 2016 to
March 2017 – from 2,581,026 to 1,811,937 users around the world. This change is even
more dramatic if you consider that ransomware had risen by 17.7% from April 2015 to March
2016, and 11.4% from April 2016 to March 2017 (see previous reports for more details).
The proportion of users that encountered ransomware at least once, out of the total number
of users who encountered malware, is also falling steadily: 4.34% in 2015-2016, 3.88% in
2016-2017, and 2.80% in 2017-2018.
The following graphs illustrate the change in the number of users encountering ransomware
at least once in the 24-months covered by this report. As can be seen in Fig. 1, the volume of
6. 6
ransomware attacks has been steadily decreasing, barely exceeding 350,000 per month.
The two peaks, in May and in July, can be simply explained by the Locky ransomware, which
was active at these times.
Fig. 1: The number of users encountering ransomware at least once in the period from April
2016 to March 2017
The drop in June can be explained by a slowdown in the activities of several ransomware
families. The following year the pattern looks similar, but shows even lower volumes at
between 200,000 and 250,000 detections per month.
0
50000
100000
150000
200000
250000
300000
350000
400000
CY2016April
CY2016May
CY2016June
CY2016July
CY2016August
CY2016September
CY2016October
CY2016November
CY2016December
CY2017January
CY2017February
CY2017March
2016 2017
7. 7
Fig. 2: The number of users encountering ransomware at least once in the period from April
2017 to March 2018
The slight peak in May 2017 was fueled by the WannaCry pandemic, and the SynAck
targeted ransomware, which used the Doppelgänging technique and was also prevalent in
the spring. The drop in ransomware in July was caused by a brief slowdown in the activities
of Locky, Jaff and ExPetr.
Both of the above graphs show that ransomware is decreasing in volume. However, it is still
a dangerous threat.
Main actors of crypto-ransomware
Looking at the malware groups active in the period covered by this report, it appears that a
rather diverse list of suspects is responsible for most of the trouble caused by crypto-
ransomware. In the first period, 2016-2017, most of the attacks were from Locky, CryptXXX,
Zerber, Shade, Crusis, Cryrar, Snocry, Cryakl, Cryptodef, Onion and Spora – with these
threats attacking about a third of all crypto-ransomware victims during the period.
0
50000
100000
150000
200000
250000
300000
CY2017April
CY2017May
CY2017June
CY2017July
CY2017August
CY2017September
CY2017October
CY2017November
CY2017December
CY2018January
CY2018February
CY2018March
2017 2018
8. 8
Fig. 3: Distribution of users attacked with different groups of encryption ransomware in 2016-
2017
A year later, the landscape looked different. The main change was the domination of
WannaCry, with other ransomware leaders such as Locky, Zerber, and Shade retaining
about the same share of victims.
9%
7%
4%
2%
2%
2%
1%
2%
2%
1%
1%
67%
Locky
CryptXXX
Zerber
Shade
Crusis
Cryrar
Snocry
Cryakl
Cryptodef
Onion
Spora
Other
21%
6%
6%
4%
3%
2%
2%
2%2%2%
50%
Wanna
Locky
Zerber
Purgen
Jaff
Shade
Cryakl
Cryrar
Gen
Spora
Other
9. 9
Fig. 4: Distribution of users attacked with different groups of encryption ransomware in 2017-
2018
So what else changed? Well, the share of victims affected by the top ransomware actors
grew from 33% to 50% (even through the number of attacks in this period was significantly
lower than before). Thus, we can say that while the share grew, the numbers fell – making
the landscape more centralized and less competitive.
Interestingly, the drop in the number of victims was not experienced by every ransomware
family – for instance, the number of internet users affected by Zerber and Shade remained
the same (40,000 and 20,000 respectively).
Geography
When analyzing the geography of attacked users, we always consider the fact that the
numbers are influenced by the distribution of Kaspersky Lab’s customers around the world.
That is why we use special metrics: the percentage of users attacked with ransomware as a
proportion of users attacked with any kind of malware. In order to keep statistics
representative, the list of countries includes regions with over 30,000 unique users of
Kaspersky Lab products.
In 2016-2017, the list of countries with the highest share of users attacked with ransomware
was as follows:
Country % of users attacked with
ransomware out of all
users encountering
malware
Turkey 7.93%
Vietnam 7.52%
India 7.06%
Italy 6.62%
Bangladesh 6.25%
Japan 5.98%
Iran 5.86%
Spain 5.81%
Algeria 3.84%
China 3.78%
10. 10
Fig.5: The list of countries with the biggest share of users (each country has more than
30,000 unique users of Kaspersky Lab products) attacked with ransomware as a proportion
of all users attacked with any kind of malware in 2016-2017
During this period, new countries, including Turkey, Bangladesh, Japan, Iran, and Spain,
entered the list. These changes could mean that attackers had switched to targeting
previously unaffected territories, where users are not as well-prepared for fighting
ransomware, and where competition among criminals is not so high.
One year later the landscape had changed again.
Country % of users attacked
with ransomware out
of all users
encountering malware
Thailand 9.57%
United Arab Emirates 8.67%
Iran 8.47%
Bangladesh 7.62%
Vietnam 6.17%
Saudi Arabia 5.45%
China 5.36%
India 4.28%
Algeria 3.59%
Turkey 3.22%
Fig.6 The list of countries with the biggest share of users (each country has more than
30,000 unique users of Kaspersky Lab products) attacked with ransomware as a proportion
of all users attacked with any kind of malware in 2017-2018
As we can see, the list looks very similar, including more or less the same regions. However,
it is worth noting that Turkey fell from first to tenth place, while Japan left the list entirely. This
was due to the decrease in Crusis and Locky activities. The UAE joined the ranking, taking
second place, while Iran hit the top three. Let’s take a closer look at how these states have
evolved in this time.
Country 2016-2017 2017-2018 Y-to-Y change (%)
Thailand 445,458 494,972 Up 11.1%
United Arab Emirates 423,627 401,580 Down 5.2%
11. 11
Iran 701,540 757,491 Up 8%
Bangladesh 562,798 528,840 Down 6%
Vietnam 2,412,909 2,172,184 Down 10%
Saudi Arabia 671,923 650,465 Down 3.2%
China 974,045 992,610 Up 1.9%
India 4,147,085 3,880,599 Down 6.4%
Algeria 1,012,279 918,836 Down 9.2%
Turkey 982,417 954,711 Down 2.8%
Fig. 7: The year-on-year change in the number of users attacked
with any type of ransomware
Interestingly, while these countries top the rankings in terms of the share of users attacked
with ransomware, out of all users encountering malware, if we look at absolute figures the
ranking would be different – states like Vietnam, India or Algeria have higher numbers of
attacks than others. Their percentages are more moderate due to the overall number of
malware detections.
According to our statistics, increases in China, Iran and Thailand were also fueled by the
activities of several families – in the case of China for example, WannaCry was a game
changer.
The numbers above highlight horizontal changes in the global ransomware landscape. But if
we look deeper into the share of users attacked with a Trojan-ransom actors, and who
experienced an attack by encryption ransomware, the picture becomes slightly different.
12. 12
Country
% of users attacked with
encryption ransomware in
2016-2017
% of users attacked with
encryption ransomware in
2017-2018
Thailand 3.43% 9.57%
United Arab 6.08% 8.67%
Iran 5.86% 8.47%
Bangladesh 6.25% 7.62%
Vietnam 7.52% 6.17%
Saudi Arabia 3.48% 5.45%
China 3.78% 5.36%
India 7.06% 4.28%
Algeria 3.84% 3.59%
Turkey 7.93% 3.22%
Other 44.77% 37.60%
Fig. 8: The year-on-year change in the share of users attacked with encryption ransomware
as a proportion of users attacked with any kind of ransomware.
As we can see, the share in 2017-2018 is higher in most cases and explains why, for
example, Thailand, UAE, and Iran hit the top three countries in this period. At the same time,
the overall share of the top 10 countries did not change significantly – it grew slightly, by
around seven percentage points, amid an overall decrease in ransomware activities.
The above section clearly demonstrates that, while ransomware is slowing down across the
world, we can still see changes in its global geographic distribution. This obviously means
that users, especially in these affected countries, should be particularly cautious when
surfing the web.
13. 13
Mobile ransomware
By 2017-2018 the number of users attacked with mobile ransomware had fallen by 22.5%,
from 130,232 in 2016-2017 to 100,868 in 2017-2018, accelerating the previous year’s trend,
when the pace decreased by 4.62% y-o-y.
However, despite this decline in the total number of users impacted, mobile ransomware
Trojans remain a serious threat, because they have become much more technically
advanced and more dangerous than before.
For instance, Trojan-Ransom.AndroidOS.Svpeng obtains administrator rights to the device,
and whenever the user tries to reclaim these, it blocks the screen of the smartphone,
requiring the user to enter their PIN code. If the latter has not been installed, the device
becomes inaccessible to the victim. In this case, the only way they can restore the device is
by going back to its factory settings.
The broader timeline of mobile ransomware activities is interesting. Across the years, mobile
ransomware has grown, leaving a lot of users defenseless. From April 2014 to March 2015,
Kaspersky Lab security solutions for Android protected 35,413 users from mobile
ransomware. The following year, the number had increased almost four-fold to136,532
users. The first months of 2017 gave us a sign of possible further growth: mobile
ransomware activity skyrocketed in early 2017 with 218,625 mobile Trojan-Ransomware
installation packages – that is 3.5 times more than in the previous quarter.
Fig. 9: The number of users encountering mobile ransomware at least once in the period
April 2015 to March 2017
But then – well, you might be able to guess what happened next.
0
5000
10000
15000
20000
25000
30000
35000
01.04.2015
01.05.2015
01.06.2015
01.07.2015
01.08.2015
01.09.2015
01.10.2015
01.11.2015
01.12.2015
01.01.2016
01.02.2016
01.03.2016
01.04.2016
01.05.2016
01.06.2016
01.07.2016
01.08.2016
01.09.2016
01.10.2016
01.11.2016
01.12.2016
01.01.2017
01.02.2017
01.03.2017
01.04.2017
14. 14
Fig. 10: The number of users encountering mobile ransomware at least once in the period
April 2017 to March 2018
That is what happened. The number decreased; reaching its minimum in the summer,
following the same pattern as PC ransomware. Indeed, July 2017 became the worst month
for ransomware success across the observed periods. This was mainly due to a decrease in
the activity of all ransomware families we were monitoring within this period. Despite a slight
relief in August, the trend remained the same – mobile ransomware activity is falling,
reaching another low point in March 2017.
It is worth noting that the share of mobile users attacked with ransomware, as a proportion of
users attacked with any kind of malware, experienced some relief in the earlier period: it was
2.04% in 2014-2015, but grew to 4.63% in 2015-2016 and then dropped again to 2.78% in
2016-2017. The same trend was witnessed with PC ransomware, which means that the
overall volume of malware is growing faster than the ransomware attacks. The situation
changed in 2017-2018 with the share dropping to 0.65%. Clearly therefore, we are
witnessing an overall downturn in this cybercriminal landscape.
The geography of mobile ransomware differs significantly from that of PC ransomware. With
mobile ransomware in the 2016-2017 period, the list of countries includes regions with over
2,500 unique users of Kaspersky Lab products.
Country
% of users attacked with ransomware
out of all users encountering malware
United States 18.65%
6000
11000
16000
21000
26000
31000
CY2017April
CY2017May
CY2017June
CY2017July
CY2017August
CY2017September
CY2017October
CY2017November
CY2017December
CY2018January
CY2018February
CY2018March
15. 15
Canada 17.97%
Germany 15.46%
United Kingdom 13.37%
Italy 11.87%
Kazakhstan 6.78%
Spain 6.35%
Mexico 5.85%
Ukraine 1.96%
Russian Federation 0.88%
Fig. 11: Top 10 countries with the highest percentage of mobile users
attacked with Trojan-Ransom malware, as a proportion of users attacked
with any kind of mobile malware (each country has more than 2,500 unique
users of Kaspersky Lab products for Android devices). Period: April 2016 –
March 2017.
The United States took first place, followed by Canada and Germany. At the same time,
Russia took the lowest position in the ranking, something which could be explained by the
simultaneous growth of overall malware attacks, combined with a decline in ransomware
attacks in the region.
The next period looked different – due to the downturn, we even had to increase the
minimum number of unique users of Kaspersky Lab products to 10,000. Moreover, the
highest share fell from 18.65% to 1.64%.
Country % of users
attacked with
mobile
ransomware out
of all users
encountering
United States 1.64%
Kazakhstan 1.60%
Belgium 1.16%
Italy 1.10%
Poland 1.03%
Romania 0.78%
Mexico 0.70%
Ireland 0.68%
Germany 0.66%
China 0.66%
16. 16
Fig. 12: Top 10 countries with the highest percentage of mobile users
attacked with Trojan-Ransom malware, as a proportion of users attacked
with any kind of mobile malware (each country has more than 10,000
unique users of Kaspersky Lab products for Android devices). Period: April
2017 – March 2018.
While the United States retained its leading position, Kazakhstan and Germany shifted up
the ranks, hitting the top three. Russia left the ranking, being replaced by China on almost
the same terms – with a share at the level of 0.66%.
The main issue, however, remained the same – despite the overall slowdown and downturn
in mobile malware, this threat continues to target developed or large developing markets.
The reasons for this are simple: they not only have a higher level of income, but also a more
advanced and more widely used mobile and e-payment infrastructure. You can find more
details about this trend in a previous report.
The main mobile ransomware actors
In 2016-2017, users of our products encountered the following mobile ransomware families
the most:
Fig. 13: The distribution of the share of attacked users between the most active mobile
ransomware families in 2016-2017.
The ‘other’ section dropped significantly, from 22% in 2015-2016 to just 1%, mainly due to
the expansion of the Fusob family (from 47% to 65%) and the return of Svpeng activity (from
1% to 14%). Together with SMALL, these were the most active families in the previous
period.
One year on, the distribution looked like this:
14%
14%
65%
6%
1%
SMALL
Svpeng
Fusob
Egat
Other
17. 17
Fig. 14: The distribution of the share of attacked users between the most active mobile
ransomware families in 2017-2018.
As you can see, SMALL and Svpeng continue to consolidate their dominance across the
mobile ransomware landscape – the number of most active actors has decreased from four
to three, while the ‘other’ section has stayed at the minimum level. The new entry is Zebt, a
fairly simple Trojan whose main goal is to block a device with its window and demand a
ransom. Zebt tends to attack users in Europe and Mexico and we have covered its activities
here and here. Zebt became the most widespread mobile ransomware in Q1 — when it was
encountered by more than half of all users.
In summary, while mobile ransomware has decreased, it has also demonstrated the same
trends as the year before – it has focused on wealthy countries and a few families have
monopolized the market. This means that the actors behind them are disciplined, focused,
and take a targeted approach to making their money.
48%
39%
10%
3%
Zebt
Svpeng
SMALL
Other
18. 18
Game changer – how cryptocurrency miners
beat them all
We have discussed the status quo of ransomware in the past 12 months and found that this
type of malware, and the authors behind it, are either losing interest (and are looking for new
ways to make money), or they are using ransomware for other purposes (such as data
destruction at important companies in a range of sectors). But if ransomware no longer
wears the threat crown, what is the new king?
Cryptocurrency has become a hot topic in recent years, becoming more lucrative, and
attracting more and more admirers around the world. With these credentials, cybercriminals
couldn’t ignore cryptocurrency – and even in the age of ransomware, most ransoms were
demanded in cryptocurrency (such as anonymous and unregulated Bitcoins). It was just a
matter of time before miners came on the threat scene.
Miners are a discreet and modest way to make money by exploiting users, and are a far cry
from the noisy and very noticeable encryption of victim devices. Instead of the large one-off
payout achieved with ransomware, cybercriminals employing mining as a tactic can benefit
from an inconspicuous, stable and continuous flow of funds.
Moreover, although there are groups of people who hoodwink unwitting users into installing
mining software on their computers, or who exploit software vulnerabilities to do so, mining is
legal. It simply results in threat actors receiving cryptocurrency, while their victims’ computer
systems experience a dramatic slowdown.
In 2017 we started seeing botnets designed to profit from concealed cryptomining, and
attempts to install miners on servers owned by organizations. When these attempts are
successful, business processes suffer at victim companies, because data processing speeds
fall substantially.
Part 1. PC miners
The number of victims is key here – the more victims you have, the more money you are
able to mine at their expense. The growth in this number is something we have already seen
and reported on.
It is clear that the number of users that have encountered cryptocurrency miners has
increased dramatically in recent years – from around 205,000 in 2013 to over 700,000 in
2014. The years that followed were marked with spikes in cryptocurrency, and the price of
Bitcoin and Altcoins, for example, continuously beat records throughout 2017.
As a result, by the end of 2017, 2.7 million users had been attacked by malicious miners –
this is almost 1.5 times more than in 2016 (when the figure was 1.87 million). Let’s have a
closer look:
19. 19
Fig. 15: The number of users encountering miners at least once in the period from April 2016
to March 2017.
The true spike in mining started in summer 2016, and the increase became more and more
steady, resulting in over 400,000 hits a month, while fluctuating with cryptocurrency prices.
Monero for instance, increased its price several times in approximately the same period of
time.
A year later, the situation remained the same, but on steroids, with the number of hits
exceeding not 400,000 but 600,000 per month.
330000
340000
350000
360000
370000
380000
390000
400000
410000
420000
CY2016April
CY2016May
CY2016June
CY2016July
CY2016August
CY2016September
CY2016October
CY2016November
CY2016December
CY2017January
CY2017February
CY2017March
20. 20
Fig. 16: The number of users encountering miners at least once in the period from April 2017
to March 2018.
The above pattern also heavily matches cryptocurrency prices – Bitcoin and Monero peaked
in December, then fell, leading to a reduction in mining activities.
Let’s now have a look at the other side of the battle – where users suffer from unclear data
processing speeds. Let’s first evaluate the 2016-2017 timeline:
Country % of users attacked with
miners out of all users
encountering malware
Afghanistan 27.28%
Ethiopia 25.29%
Uzbekistan 24.57%
Tajikistan 22.34%
Zambia 20.79%
Turkmenistan 19.71%
400000
450000
500000
550000
600000
650000
CY2017April
CY2017May
CY2017June
CY2017July
CY2017August
CY2017September
CY2017October
CY2017November
CY2017December
CY2018January
CY2018February
CY2018March
21. 21
Kazakhstan 16.36%
Mozambique 15.05%
Tanzania 12.21%
Kyrgyzstan 9.77%
Fig.17 the list of countries with the biggest share of users (each country has more than
30,000 unique users of Kaspersky Lab products) attacked with miners as a proportion of all
users attacked with any kind of malware in 2016-2017.
This list differs from the one about PC ransomware in the same period – it does not feature
any developed markets. The authors behind miners tend to focus on developing markets
instead, as proven by the fact that Afghanistan, Ethiopia, and Uzbekistan are in the top three.
A year later, the landscape had changed:
Country % of users attacked with
miners out of all users
encountering malware
Ethiopia 31%
Afghanistan 29%
Turkmenistan 24%
Tajikistan 21%
Mozambique 19%
Uzbekistan 18%
Zambia 18%
Kazakhstan 17%
Tanzania 15%
Kyrgyzstan 12%
Fig.18: The list of countries with the biggest share of users (each country has more than
30,000 unique users of Kaspersky Lab products) attacked with miners as a proportion of all
users attacked with any kind of malware in 2017-2018.
As we can see, the changes are not significant, yet they strongly differ from the PC
ransomware trends in the same period. This could be due to the fact that people from
developing markets are not so eager to pay a ransom.
Comparing the evolution of the threat across these countries, in the 24-month period, can
provide us with a better understanding of global mining trends.
22. 22
Country 2016-2017 2017-2018 Y-to-Y change (%)
Ethiopia 14,184 18,646
Up 31.46%
Afghanistan 24,214 24,744
Up 2.19%
Turkmenistan 6,614 8,600
Up 30.03%
Tajikistan 8,345 8,335
Down 0.12%
Mozambique 13,154 15,380
Up 16.92%
Uzbekistan 23,950 21,301
Down 11.06%
Zambia 10,897 9,254
Down 15.08%
Kazakhstan 109,524 125,001
Up 14.13%
Tanzania 22,236 26,648
Up 19.84%
Kyrgyzstan 4,037 5,233
Up 29.63%
Fig. 19: The year-on-year change in the number of users attacked
with miners.
We have compared the percentage of miners detected in these countries, against the
number of risk tool detections (including other risks such as adware). This enables us to
understand how and where cybercriminals are making their money nowadays. As we can
see, the list is more or less the same:
Country % of users attacked with
riskware out of all users
encountering malware
Ethiopia 57%
Afghanistan 44%
Turkmenistan 42%
Tajikistan 42%
Mozambique 35%
Uzbekistan 31%
Zambia 30%
Kazakhstan 26%
Tanzania 25%
Kyrgyzstan 21%
23. 23
Fig.20: The list of countries with the biggest share of users (each country has more than
30,000 unique users of Kaspersky Lab products) attacked with risk tools as a proportion of all
users attacked with any kind of malware in 2017-2018.
A comparison with riskware instead of malware shows us the same ranking, but with higher
rates. While it is clear that miners belong in the riskware category; this is an interesting
subject for speculation. We will return to it later in the mobile section of this report.
24. 24
Part 2. Mobile miners
The number of users attacked with mobile miners has also experienced growth – but at a
steadier pace, growing by 9.5%, from 4,505 in 2016-2017 to 4,931 in 2017-2018.
Overall, the timeline for the two-year period looks like this:
Fig. 21: The number of users encountering mobile miners at least once in the period from
April 2016 to March 2018.
Like PC miners, mobile miners increased in the summer of 2016 – yet, their growth was not
that steady and at a lower rate.
It is also interesting to look at the same timeline with malware and riskware.
0
200
400
600
800
1000
1200
1400
1600
CY2016April
CY2016May
CY2016June
CY2016July
CY2016August
CY2016September
CY2016October
CY2016November
CY2016December
CY2017January
CY2017February
CY2017March
CY2017April
CY2017May
CY2017June
CY2017July
CY2017August
CY2017September
CY2017October
CY2017November
CY2017December
CY2018January
CY2018February
CY2018March
25. 25
Fig. 22: The number of users encountering miners and riskware at least once in the period
from April 2016 to March 2018.
As we can see, the riskware and miner patterns are almost identical. However, let’s have a
look at how this corresponds with malware trends – at least during the second period.
0
500
1000
1500
2000
2500
3000
CY2016April
CY2016May
CY2016June
CY2016July
CY2016August
CY2016September
CY2016October
CY2016November
CY2016December
CY2017January
CY2017February
CY2017March
CY2017April
CY2017May
CY2017June
CY2017July
CY2017August
CY2017September
CY2017October
CY2017November
CY2017December
CY2018January
CY2018February
CY2018March
Miners Riskware
26. 26
Fig. 23: The number of users encountering malware and riskware at least once in the period
from April 2017 to March 2018.
They also follow the same trend. Apparently, amid the decrease in ransomware and the
increase in mining, riskware is dominating malware and is now setting the rules of the game,
affecting the presented timeline.
Just as with PC miners, let’s have a deeper look at the geographic distribution to find out
where cybercriminals are focusing their mining efforts. In 2016-2017 the list looked like this:
Country % of users attacked with
mobile miners out of all
users encountering
malware
Venezuela 0.14%
Myanmar 0.1%
Nepal 0.1%
Indonesia 0.09%
Philippines 0.09%
Cambodia 0.08%
0
500
1000
1500
2000
2500
3000
3500
CY2017April
CY2017May
CY2017June
CY2017July
CY2017August
CY2017September
CY2017October
CY2017November
CY2017December
CY2018January
CY2018February
CY2018March
Malware Riskware
27. 27
Nigeria 0.08%
Kyrgyzstan 0.07%
Macedonia 0.07%
Yemen 0.07%
Fig. 24: Top 10 countries with the highest percentage of mobile users
attacked with mobile miners, as a proportion of users attacked with any kind
of mobile malware (each country has more than 10,000 unique users of
Kaspersky Lab products for Android devices). Period: April 2016 – March
2017.
Unlike ransomware, mobile miners tend to target developing markets like Venezuela,
Myanmar and Nepal, which made up the top three in 2016-2017. A year later, the pattern
had not changed but the list had:
Country % of users attacked
with mobile miners out
of all users
encountering malware
Venezuela 0.45%
Nepal 0.31%
Turkmenistan 0.24%
China 0.16%
Bolivia 0.15%
Philippines 0.15%
Malaysia 0.09%
Pakistan 0.08%
Vietnam 0.08%
Bangladesh 0.08%
Indonesia 0.08%
Moldova 0.08%
Fig. 25: Top 10 countries with the highest percentage of mobile users
attacked with mobile miners as a proportion of users attacked with any kind
of mobile malware (each country has more than 10,000 unique users of
Kaspersky Lab products for Android devices). Period: April 2017 – March
2018.
28. 28
Venezuela again topped the ranking, followed by Nepal and Turkmenistan. While all the
countries presented can be considered as developing, the size of the Chinese market,
ranked fourth, is worrisome here – mainly due to the number of potential victims.
Country 2016-2017 2017-2018 Y-to-Y change %
Venezuela 44 118 Up 168.18%
Nepal 34 90 Up 164.71%
Turkmenistan 13 41 Up 215.38%
China 8 111 Up 1287.5%
Bolivia 10 33 Up 230%
Philippines 135 196 Up 45.19%
Malaysia 79 167 Up 111.39%
Pakistan 16 29 Up 81.25%
Vietnam 58 73 Up 25.86%
Bangladesh 51 79 Up 54.90%
Indonesia 303 217 Down 28.38%
Moldova 14 28 Up 100%
Fig. 26: The year-on-year change in the number of users attacked
with mobile miners.
The figures above suggest that the mining threat may come from China – as this region
demonstrates an increase of over 1287.5%.
Both percentages and absolute figures show us that mobile mining is an emerging threat,
targeting developing countries. The reason is that cybercriminals tend to choose PCs as a
target, because PCs provide much more power than a mobile device. At first glance, it may
seem that mobile miners are not worth considering.
However, overall growth rates indicate that we should still monitor mobile mining carefully.
Moreover, our studies show that mining capabilities are often included in the list of features
of many popular malware families – as an added value, and as one more way for criminals to
make money at the user’s expense. This was certainly the case with the infamous Loapi – an
intriguing malware with multiple modules, which allowed for an almost endless number of
malicious features - from cryptocurrency mining to DDoS attacks.
There has also been an interesting twist: tests on one randomly selected mobile phone
demonstrated that Loapi malware creates such a heavy workload on an infected device that
it even heats it up, and can deform its battery. Apparently, the malware’s authors didn’t really
want this to happen, as they are hungry for as much money as they can get by keeping the
malware running! But their lack of attention to the malware’s optimization has led to this
unexpected physical ‘attack vector’ and possibly serious damage to user devices.
29. 29
Part 3. Between black and white: are risk
tools replacing malware?
Well, mining is now beginning to eclipse ransomware as a way for cybercriminals to make
money illegally. Just like in other industries, the numbers tell the stories best. Falling off the
radar, ransomware has become a rather typical infection vector once again. It has now been
abandoned by commercial cybercriminals but embraced by sophisticated actors instead. It is
a noisy way to make money out of victims - it attracts a lot of media and state attention. It
looks like criminals increasingly think ransomware is not worth the trouble.
So how can cybercriminals make illegal money, in a discreet and stable way, and with lower
risks? Apart from malware, there are a lot of ways to make money – through various risk
tools, adware, and cryptocurrency mining. The numbers have proven this; let’s now try to
understand the particular reasons behind mining’s popularity.
1) There is a simple monetization model
While victims have no obligation to actually pay a ransomware ransom, and can wait until a
successful decryption tool is available, the mining model is easier and more stable – you
attack your victims, build cryptocurrency using CPU or GPU power, and then earn real
money through legal exchanges and transactions.
Fig. 27: The mining monetization process.
The two currencies most often used in concealed mining are monero (XMR) and zcash.
These two ensure the anonymity of transactions, which is very handy for threat actors.
According to the most conservative estimates, the mining network can generate anything up
to $30,000 a month for its owners.
30. 30
Fig. 28: The wallet of a mining botnet.
2) Its discreet nature
Again, unlike with ransomware, it is very hard for anybody to understand if they have been
infected by miners or not, due to their specific nature and operating principles. Most people
seldom use most of their computer’s processing power; and miners harness the 70 to 80
percent that is not being used for anything else. Moreover, some miners have special
functions to reduce mining capacities or to cancel the process if another resource-demanding
program (for example, a videogame) is launched.
Often, a crypto-miner comes with extra services to maintain its presence within the system,
such as automatically launching every time the computer is switched on, and operating
without the user’s knowledge.
These services can, for example:
• Try to turn off security software;
• Track all application launches, and suspend their own activities if a program is started
that monitors system activities or running processes;
• Ensure a copy of the mining software is always present on the hard drive, and restore
it if it is deleted.
3) It is now very easy to make your own miner
Those interested can get everything that they need:
• Ready to use partner programs
• Open mining pools
• Multiple miner-builders
As a result, crypto-miners are installed – on the computers of consumers and businesses
alike – alongside adware, cracked games, and pirated content. It’s becoming easy for
cybercriminals to create miners, because of ready to use partner programs, open mining
pools and miner-builders. Another method is web mining, where cybercriminals insert a
31. 31
script into a compromised website that mines cryptocurrencies while the victim browses the
site. Some other criminal groups are more selective, using exploits to install miners on the
servers of large companies, rather than trying to infect lots of individuals. Some of the ways
cybercriminals install malicious miners in the networks of their corporate victims are very
sophisticated, resembling the methods of APT attackers.
Like ransomware did some time ago, miner authors could also shift to targeted attacks to
make more money. It will be interesting to see if this happens.
PS. Stay alert to miners’ propagation methods
Last but not least, it is worth discussing the propagation methods of miners. The main way
miners spread is via social engineering.
Fig. 29: Advert for a mining builder in a telegram channel advertising opportunities to earn
money online.
32. 32
Usually, threat actors collaborate with potentially unwanted application partner programs
(PUA) to spread miners. However, some small criminal groups try to spread malware by
using different social engineering tricks, such as fake lotteries, etc. In these cases, potential
victims need to download a random number generator from a file-sharing service, and run
this on their PC to participate. It is a simple trick, but a very productive one.
Another popular method is web-mining through a special script executed in the victim’s
browser. For example, in 2017 our security solutions stopped the launch of web miners on
more than 70 million occasions. The most popular script used by cybercriminals is Coinhive,
and most cases of its use in the wild are websites with a lot of traffic. The longer the user
session on those sites, the more money the site’s owner earned from mining. Major incidents
involving Coinhive include hacked web pages, such as the Pirate Bay case, YouTube ads or
the UFC fight pass mining incident. However, other examples of its legal use are also known.
There are other groups, which do not need to spread miners to many people. Instead, their
targets are powerful servers in big companies. For instance, Wannamine spread in internal
networks using an EternalBlue exploit, and earned nine thousand Monero this way (approx.
two million dollars). However, the first miner that used the EternalBlue exploit was Adylkuzz.
In previous research we have also described another miner family – Winder – that has used
an extra service to restore a miner when it was being deleted by an AV product. This botnet
earned half a million dollars.
33. 33
Conclusions and predictions
This report confirms what we predicted earlier:
Ransomware
While ransomware activities are falling across the globe, they still pose a threat, and should
be treated as such. PC ransomware is used in powerful, sophisticated, and destructive
attacks. 2017 was, after all, a tough year in terms of destructive attacks. The
ExPetr/NotPetya attack, which was initially considered to be ransomware, turned out to be a
cleverly camouflaged wiper as well. ExPetr was followed by other waves of ‘ransomware’
attacks, in which there was little chance for the victims to recover their data; as the threats
were all cleverly masked ‘wipers as ransomware’. We don’t think this trend will change
anytime soon.
Actors behind mobile ransomware are, at the same time, still targeting wealthy nations and
are capitalizing on the markets of their choice. In parallel, they have increased consolidation
– with a few actors now dominating the market. This trend has been witnessed for two years
in a row, and we expect it will continue.
Miners
As discussed, while ransomware has provided a potentially large but one-off income for its
cybercriminals, miners will provide a lower, but longer lasting one. Last year we asked what
tips the scales for cybercriminals? Today, this is no longer a question. Miners will keep
spreading across the globe, attracting more people.
It is highly likely that the additional growth of mining will come at the expense of mobile
miners. For now, they are growing, but at a very steady pace. However, once criminals find a
technological solution that makes the profits from mining on mobile devices equivalent to
those from mining on PCs, mobile mining will quickly become equal. Particularly worrying
here is that some of the criminals’ key target geographies – China and India – account for
around a third of all smartphones in the world. The population of these countries will
therefore be particularly vulnerable if smartphone mining really takes off.
The number of targeted attacks on businesses, for the purpose of installing miners, raises
questions about whether mining might eventually follow in the footsteps of ransomware
actors. Big money loves silence, and if miner actors attract as much attention to themselves
as ransomware did, life will get complicated for them.
34. 34
Fighting back
Standing up to ransomware and miners – how to stay safe
1. Treat email attachments, or messages from people you don’t know, with caution. If in
doubt, don’t open it.
2. Back up data regularly.
3. Always keep software updated on all the devices you use. To prevent miners and
ransomware from exploiting vulnerabilities, use tools that can automatically detect
vulnerabilities and download and install patches.
4. For personal devices, use a reliable consumer security solution and remember to
keep key features – such as System Watcher – switched on.
5. If you’re a business, enhance your preferred third party security solution with
Kaspersky Lab’s free anti-ransomware tool (see below for more information).
6. For superior protection use an endpoint security solution that is powered by behavior
detection and able to roll back malicious actions.
7. Carry out regular security audits of your corporate network for anomalies.
8. Don’t overlook less obvious targets, such as queue management systems, POS
terminals, and even vending machines. As the miner that relied on the EternalBlue
exploit shows, such equipment can also be hijacked to mine cryptocurrency.
9. Use application control to track malicious activity in legitimate applications.
Specialized devices should be in Default Deny mode. Use dedicated security
solution, such as Kaspersky Endpoint Security for Business that includes these
functions.
10. To protect the corporate environment, educate your employees and IT teams, keep
sensitive data separate, restrict access, and always back up everything.
11. Last, but not least, remember that ransomware is a criminal offence. You shouldn’t
pay. If you become a victim, report it to your local law enforcement agency.
Improve your protection level for free
Kaspersky Lab has recently launched a new version of its free Kaspersky Anti-Ransomware
Tool. The solution is designed to protect your business data from ransomware encryption
and cryptominers that may be unknowingly downloaded and run on PCs in real-time. It works
alongside your current vendor’s security applications, to detect and block existing, new and
unknown malware. By using the latest behavioral detection technologies, the tool can
significantly boost your overall protection levels, keeping you safe from all ransomware
threats. To see how it can strengthen your defenses, install it now.