(Below is an excerpt from a new paper published by Brandon Levene today. Read the full paper here)
Chronicle researchers conducted an investigation into the evolution of crimeware from 2013 through 2018. Researchers have concluded that crimeware, traditionally considered a “commodity threat,” has evolved into a highly lucrative business as criminals are constantly improving their techniques and law enforcement activity grows increasingly ineffectual. Attackers and defenders are entrenched in a longstanding game of cat and mouse, resulting in a rapid expansion of the crimeware threat landscape, and growing sophistication of attacks and malware infrastructure. This research examines the rise of financially motivated malware and the impact of attempted countermeasures.
The report details the emergence and growth of banking trojans, ransomware, infostealers and cryptomining malware, the impact of a wide variety of crimeware including: GameOver Zeus, Cryptolocker, Dridex, Dyre, Trickbot, Ramnit, and attacks including the targeted attacks on the SWIFT messaging network, the Mirai botnet, the WannaCry ransomware outbreak, and others.
Key findings from the investigations include:
- Crimeware risk is underestimated — Misconceptions around the severity of risk from financially motivated threat actors has hobbled enterprise defense efforts. Rates of losses due to crimeware are climbing, and countermeasures are decreasing in efficacy. Crimeware as a financial risk quantifiably outranks more sophisticated threats such as APTs. The ability of crimeware to disrupt businesses is tremendous and if efforts are not increased, there will be attacks greater in impact, scale and cost.
- Crimeware growth is enduring — Instances of crimeware have grown steadily, year over year. The prevalence and frequency of crimeware has desensitized security teams and crimeware fatigue is a threat to organizations. As a result, crimeware poses a more likely business impact threat than sophisticated attacks.
- Sophistication arose from the opportunity granted by volume — Deploying crimeware is inexpensive and low-effort for financially-motivated actors. As a result, attackers have optimized for volume and speed. High volumes of broadly-cast attacks over time enabled financially motivated adversaries to optimize attack campaigns towards the most lucrative targets. Increased operationalization and strategy has resulted in increasingly sophisticated and targeted crimeware.
- The efficacy of law enforcement efforts decreases over time — Financially motivated actors’ ability to adapt to countermeasures outpaces the ability of traditional law enforcement to find and prosecute criminals. Financially motivated actors model risk based on law enforcement efforts, and adapt attack techniques based on profit. As a result of time, geographical and other factors that limit law enforcement efforts, crimeware operations have more time to adapt and make crimeware progressively more detrimental.
- Crimeware is a business. Threat actors model their workflow and operate using traditional enterprise workplace standards in order to achieve maximum profit. For example, the push towards consolidation and “crimeware-as-a-service” demonstrates an ability to scale profitable enterprises while leveraging new infection methods. Typically within a three-month period, cybercriminals are able to rapidly shift their toolsets to align with prime money making opportunities. For example:
- Cryptomining as an operation — The bull market run of cryptocurrencies, as best mapped by the Bitcoin Index, reached its peak at the end of 2017 and began to crash by February of 2018. Following this trend, cryptominer activity dropped by more than 50% over the course of the year. The correlation between spikes in the Bitcoin Index and popularity of miners demonstrates that criminals viewed cryptocurrency as a fertile business opportunity.
- Corporations as targets — As threat groups increased attack sophistication, organized criminal groups that initially targeted consumers switched to deploying new tactics to compromise corporate victims.
Crimeware is a cornerstone to financially motivated threat actors’ toolsets and sees consistent and continuous evolution in its operation. Crimeware developers have demonstrated resilience in the face of an evolving security landscape and law enforcement actions through constant shifts and updates to their tools, techniques, and procedures. This has resulted in a perennial back and forth between criminally-minded attackers and budget-constrained defenders.