The state of cyber security in 2018: Why legacy defences won’t keep pace with new ransomware and cryptojacking threats

By Dan Slattery, Senior Information Security Analyst at Webroot

The threat posed by cybercrime to businesses, governments and consumers alike has never been more apparent. The WannaCry ransomware attack which happened about a year ago was just the first of an avalanche of wide scale and complex cyber-attacks, including NotPetya, Locky and CrySis.

While organisations are becoming more aware of the cyber threat landscape, cyber criminals are constantly trying new ways to get around established and new defences. Cyber-attacks are subsequently spreading at a pace never seen before.

These are the overwhelming findings from Webroot’s 2018 Annual Threat Report, which analysed more than 27 billion URLs, 600 million domains, 4.3 billion IP addresses, 62 million mobile apps, 15 billion file behaviour records, and 52 million connected servers worldwide.

Here we analyse some of the key findings from the Threat Report.

  1. Ransomware and its variants remain a prevalent threat

Since ransomware is so profitable for attackers, the threat has only continued to grow in notoriety in 2017. The two most discussed and largest ransomware attacks in history – WannaCry and NotPetya –were the most prolific ever seen. Together, they infected more than 200,000 machines in over 100 countries within just 24 hours.

Spam email campaigns have long been the preferred method for distributing ransomware, but an easier vector has emerged: using unsecured remote desktop protocol (RDP) campaigns to infect victims. The most common result of an RDP campaign is to deploy ransomware, since the attacker can also view other computers on the network and gather information for future campaigns.

Whether for profit or destruction, new developments in ransomware are causing the industry to re-evaluate the role and intentions of ransomware in future global attacks.

2.Cryptojacking: a new threat on the rise

Cryptojacking combines everything an attacker could want: anonymity, ease of deployment, low-risk, and high-reward. It requires less effort than alternate threats; instead of stealing a victim’s files and ransoming them for money, the cybercriminals steal victims’ CPU power to mine cryptocurrency. Since there’s no malware payload, the user often remains unaware they’re being used.

Webroot first saw cryptojacking in September 2017, when CoinHive debuted JavaScript code to mine the cryptocurrency. Since then, more than 5,000 websites that have been compromised to mine Monero through CoinHive. Surges in cryptocurrency prices have also contributed to the popularity of this type of attack, and it is expected to gain momentum in 2018 and beyond.  

3. Hacking tools are spreading: Governments on the front line

Another extremely dangerous trend relates to the spread of government hacking tools. A group calling itself Shadow Brokers starting leaking government hacking tools back in 2016, which continued throughout 2017.

As these dangerous tools get into the hands of bad actors, it exposes citizens to immense risks - for example by leaking plans on how to build a nuclear weapon.

4. Polymorphism has become mainstream

In the last few years, we’ve witnessed a dramatic increase in the prevalence of polymorphic malware and potentially unwanted applications (PUAs), indicating that these threats are the preferred system of malware delivery for cybercriminals.

In 2017, 93% of the malware encountered and 95% of potentially unwanted applications (PUAs) were only seen on one machine. In these instances, the identifiers are unique and undetectable by traditional signature-based security approaches.

Read more: The week in security: Record-setting DDoS highlights need for security-policy reset

Clearly, the move toward creating slightly different variants of malicious or unwanted files has become mainstream. This data speaks to how quickly the hackers retire a variant and come up with a new one.

5. High-risk IP addresses continue to cycle from malicious to benign and back again

Although the Webroot report found no significant increase in the number of unique malicious IP addresses in 2017 versus 2016, the number remained enormous. 10,000 malicious IP addresses reused an average of 18 times each in 2017, and the vast majority of malicious IP addresses represented spam sites (65%), followed by scanners (19%), and Windows exploits (9%).

6. Phishing attacks are becoming increasingly targeted

Phishing remains one of the most used and most successful attack vectors. Highly targeted attacks use social engineering, relying on themes that are relevant, interesting, or appropriate to the targeted individual. The 2018 Threat Report found that phishing attacks continue to be short-lived.

On average, the phishing sites were online from four to eight hours, meaning they were designed to evade traditional anti-phishing strategies. While Webroot saw millions of phishing attempts and tens of thousands of unique IPs hosting phishing sites, a single IP was responsible for more than 400,000 phishing sites.

The most impersonated sites in 2017 included some recurring and well-known names, such as Google, Microsoft, Dropbox, Facebook, PayPal, and Yahoo, as well as some new ones: shipping company UPS, money transfer service Ria, Israel’s Bank Hapoalim, and entertainment software provider Blizzard.

The findings from Webroot’s 2018 Annual Threat report showcase a dangerous and dynamic threat landscape. Attacks are evidently becoming a worldwide threat and are seamlessly bypassing legacy security solutions because organisations are neglecting to patch, update, or replace their current products.

It’s apparent that when it comes to cybersecurity, change is the only constant, and only real-time, multi-layered threat intelligence strategies can detect these types of emerging threats and help stop attacks before they strike.

About the 2018 Webroot Threat Report

The 2018 Webroot Threat Report presents analysis, findings, and insights from the Webroot Threat Research team on the state of cyber threats. The report analysed more than 27 billion URLs, 600 million domains, 4.3 billion IP addresses, 62 million mobile apps, 15 billion file behavior records, and 52 million connected servers. The statistics contained in the report come from threat intelligence metrics automatically captured from millions of real-world, global sensors, as well as third-party sources, and analysed by the Webroot® Threat Intelligence Platform. The Webroot Threat Intelligence Platform is an advanced, cloud-based machine learning network that continuously produces threat intelligence used by Webroot SecureAnywhere® endpoint and network security products and by Webroot partners through Webroot BrightCloud® Threat Intelligence Services. Unlike traditional, list-based or single-vendor threat intelligence, Webroot threat intelligence is highly effective for identifying and stopping even the most sophisticated zero-day, never-before-seen, and advanced persistent threats.

About Webroot

Webroot was the first to harness the cloud and artificial intelligence to protect businesses and individuals against cyber threats. We provide the number one security solution for managed service providers and small businesses, who rely on Webroot for endpoint protection, network protection, and security awareness training. Webroot BrightCloud® Threat Intelligence Services are used by market leading companies like Cisco, F5 Networks, Citrix, Aruba, Palo Alto Networks, A10 Networks, and more. Leveraging the power of machine learning to protect millions of businesses and individuals, Webroot secures the connected world. Headquartered in Colorado, Webroot operates globally across North America, Europe, and Asia. Discover Smarter Cybersecurity® solutions at

Tags cyber crimeCrysisLockyWannaCryNotPetya

Show Comments