Cryptomining malware has grown by more than 4,000% in the past year, while ransomware is set to decline as cybercriminals make the switch to different activities.
But the effectiveness of cybercriminals is increasing, with greater activity from the GandCrab ransomware family, mixing with other cybercrime tools such as exploit kits, to produce a big wave of attacks.
Cryptomining boom continues
McAfee describes cryptomining malware as “one of the big stories of 2018”.
It says, “Coin miner malware hijacks systems to create (“mine”) cryptocurrency without victims consent or awareness.”
In its report, McAfee describes security researcher Remco Verhoef discovering a Mac OS threat distributed on cryptomining chat groups that use a simple method of exploitation.
Messages on Slack, Telegram and Discord channels gave users a software download to fix crypto problems, with the fake software executing with a single line.
Users then effectively infected their own devices and gave the attacker access to the compromised system.
McAfee also reported that the open-source media player Kodi served a modified add-on that delivered cryptominer malware in an operation that started in 2017.
Cybercriminals have also benefitted from the lack of proper security controls in routers and IoT devices like IP cameras and video recorders.
The thieves put volume over CPU speed since if they gain control of many devices over a long time, they can still make substantial sums.
Ransomware in decline
There has been a fall in the number of unique ransomware families during recent months, even though the software that threatens to publish victims’ data or perpetually block access unless a ransom is paid, has stayed active.
The surge in cryptomining is probably in line with this decline, with McAfee suggesting that ransomware actors are switching to the more lucrative business model.
In spite of this switch, one of the most active ransomware families in the third quarter was GandCrab.
Many versions of GandCrab appeared as its developers worked to stay ahead of responses from security teams.
The biggest change McAfee saw was an increase in the size of the ransom payment demanded, with GandCrab Version 5 telling the victim to pay $2,400, where past versions required $1,000.
McAfee also noticed that Version 5, like previous versions, did not infect Russian users and the ransom, payment and decryption site is on the dark web.
Dark web markets
Device-to-cloud cybersecurity firm McAfee also reported that there has been an aftermath of takedowns of underground markets in the third quarter of 2018, but other underground markets have been at work filling the gaps.
The takedown of Hansa and AlphaBay dark web markets in 2017 is still having an effect, but Dream Market and Wall Street Market have taken their place, says McAfee.
There was a third market, Olympus Market, on its way to being at the top of the scene, which disappeared in the third quarter.
McAfee reports speculation that this was an exit scheme designed to steal money from vendors and customers.
The McAfee Advanced Threat Research team also noticed a change in dark web platforms, with several sellers moving away from large markets and opening their own marketplaces.
The team suggests, “They hope to fly under the radar of law enforcement and build a trusted relationship with their customers without the fear of a quick exit by the market owners.”
It added, “Stolen digital data, which drives much of the profits, will continue to be a key motivator. As long as there are markets, we must secure our data.”