Report: Cybercrime climate
shifts dramatically in first quarter
By Malwarebytes Team
April 18, 2017
The first quarter of 2017 brought
with it some significant changes to the threat landscape and we
aren’t talking about heavy ransomware distribution either.
Threats which were previously believed to be serious contenders
this year have nearly vanished entirely, while new threats and
infection techniques have forced the security community to
reconsider collection and analysis efforts.
Download full report here.
In our second Cybercrime
Tactics & Techniques report (read the first one
we are going to take a deep look at what threats got our
attention the most during the first three months of the year,
what we expect to happen moving through the next quarter and a
behind the scenes interview with one of our Malwarebytes Labs
Here is a sneak peek at what we are going to cover:
- Cerber ransomware took
over as the top dog as far as distribution and market share.
- Locky ransomware has
dropped off the map, likely due to the desired change by the
controllers of the Necurs spam botnet; however, with a lack
of new Locky versions being developed since before the
beginning of the year, the fate of its creators are unknown.
- The Mac threat landscape
saw a surge of new malware and backdoors in Q1 2017,
including a new Mac ransomware (FindZip).
- On the Android side, two
notable malware families have been causing a lot of trouble.
HiddenAds.lck, which locks the device from being able to
remove the app, therefore allowing for more advertisement
revenue for the creators, and Jisut, a mobile ransomware
family that has been spreading like wildfire.
- In the exploit kit world,
RIG continues to have the greatest market share of the few
exploit kits that are still active and we expect this to
continue. RIG exploit kit remains on top mainly due to its
lack of competition rather than its technical
- Malicious spam campaigns
have also started utilizing password protected zipped files
and protected Office documents to evade auto analysis
sandboxes utilized by security researchers.
- In social media scams,
users were bombarded with links to WWE nude photo dumps that
lead to gift card survey scams.
Tech support scammers,
finding difficulty working with North American payment
processors, have begun accepting alternate forms of payment,
such as Apple gift cards and bitcoin.
Looking ahead to the second
quarter of the year:
We expect to see
continued heavy distribution of Cerber through Q2 2017 due
to new developments made to the malware design and its
continued use of the ransomware as a service (RaaS) model.
- As far as Cerber losing
its crown, it is unlikely within the next quarter that any
competitor will rise in market share enough to dethrone
Cerber, barring something happening to the developers of
Cerber and their ability to develop and distribute the
- The continued heavy
development of Mac malware throughout Q2 is highly likely.
- The Android ransomware
Jisut is expected to continue its trend of high distribution
and spread. We predict the same for HiddenAds.lck.
- Distribution mechanisms
are likely going to develop new features and functionality,
be it through social engineering tactics utilized by exploit
kits and malicious spam or from the discovery of new
exploits, potentially revitalizing the exploit kit market.
- Finally, in the world of
scams, we expect to see an uptick of ‘exit scams’ and tech
support scammers utilizing social media advertising to scam
each other. At the same time, we predict the increase
collaboration of PUPs and TSS through the spread of tech
support scammer advertisements being pushed alongside
potentially unwanted programs.