What We Learned from Malware Attacks in 2018

IT SECURITY ANALYSIS: Fresh on the heels of a cryptomining explosion in the last quarter of 2017, 2018 began with threat actors diversifying their cryptomining tactics, broadening their reach to Android, Mac, cryptomining malware and experimenting with new innovations in browser-based attacks.


Malware blossomed in several different directions in the past 12 months, and the year ahead looks like it will be a full-fledged follow-on.

According to security firm Malwarebytes, 2018 came in like a lion and out like—well, a different lion. It’s fair to say that, despite a sleepy second quarter, this past year was action-packed from start to finish.

“We experienced another very active year for malware that shows no signs of stopping,” CEO Marcin Kleczynski said in a media advisory. “Attackers continued to shift their methodologies to follow the payload. We saw evidence of this with the strong focus on attacking businesses with insecure and unpatched networks.

"From massive data breaches to ransomware attacks, businesses are experiencing what consumers have been dealing with, but on a larger scale. In the coming year, Malwarebytes is dedicated to providing the cutting-edge protection and remediation tools needed for protecting the world against the most dangerous malware now, and well into the future.” 

Cryptomining Tactics Are Diversifying

2018 began with threat actors diversifying their cryptomining tactics, broadening their reach to Android, Mac, cryptomining malware and experimenting with new innovations in browser-based attacks. While cryptomining died down by the second quarter, a new set of threats were eager to take its place: information stealers. These former banking Trojans—especially Emotet and TrickBot—evolved into droppers with multiple modules for spam production, lateral propagation through networks, data skimmers, and even crypto-wallet stealers.

Other malware families soon followed in Emotet and TrickBot’s footsteps, redirecting their focus toward organizations whose networks were unpatched and insecure, and they found plenty of targets. From massive data breaches to ransomware attacks that brought critical infrastructure to a halt, businesses finally experienced what consumers have been dealing with for years now, but on a much larger and more dangerous scale.

As a result, 2018 came to a close with a different set of problems for a different set of users, with the promise that we’re likely to see just as much drama in 2019 as the previous year.

The 2019 State of Malware Report examines threats by region—North America, Asia Pacific, Latin America, and Europe, the Middle East, and Africa (EMEA)—as well as top industry verticals for the most prolific forms of malware.

Malwarebytes shared key elements of its resarch with eWEEK readers for this Data Point article.

Data Point No. 1: Make way for cryptominers

Ransomware was dethroned in the first half of 2018 to make way for a massive wave of cryptominers, following a meteoric spike in Bitcoin value at the tail end of 2017. Threat actors seemingly abandoned all other forms of attack for experimentation in this new technique, spanning from desktop to mobile; Mac, Windows, and Android operating systems; and software- and browser-based attacks. Cryptomining detections increased by 7 percent year over year—a small percentage overall, because the second half of the year was slow for this threat.

Data Point No. 2: The year of the mega breach

Unlike the ransomware plagues that were indicative of 2017, there were no major global outbreaks in 2018. Instead, it was the year of the mega breach. Major businesses, including Facebook, Marriott, Exactis, MyHeritage and Quora were penetrated, with hundreds of millions of customers affected. The number of compromised records increased by 133 percent in 2018 over the previous year.

Data Point No. 3: Ransomware gets tricky

In 2018, we saw a shift in ransomware attack techniques. Instead of the one-two punch of malvertising exploits which delivered ransomware payloads, threat actors engaged in targeted, manual attacks. The shotgun approach was replaced with brute force, as witnessed in the most successful SamSam campaigns of the year.

Data Point No. 4: Businesses take a hit

Malware authors pivoted in the second half of 2018 to target organizations over consumers, recognizing that the bigger payoff was in making victims out of businesses instead of individuals. Overall business detections of malware rose significantly over the last year—79 percent to be exact—and primarily due to the increase in backdoors, miners, spyware and information stealers.

Data Point No. 5: Consumer detections fall by marginal percentage

Despite the focus on business targets, consumer malware detections only decreased by 3 percent year over year, thanks to increases in backdoors, Trojans and spyware malware categories throughout 2018. While 2017 saw 775,327,346 consumer detections overall, 2018 brought with it about 25 million fewer instances of infection—a healthy decrease in number, percentages aside.

Data Point No. 6: SMB vulnerabilities spread Trojans like wildfire

The fallout from the ShadowBrokers’ leak of NSA exploits in 2017 continued, as cybercriminals used SMB vulnerabilities EternalBlue and EternalRomance to spread dangerous and sophisticated Trojans, such as Emotet and TrickBot. In fact, information stealers were the top consumer and business threat in 2018, as well as the top regional threat for North America, Latin America, and Europe, the Middle East and Africa (EMEA).

Data Point No. 7: Malspam replaces exploits as the favorite attack vector

The exploit landscape became a bit barren by the end of 2017, with many of the kit creators locked behind bars. As a result, threat actors returned to an old favorite—malspam—which replaced exploits as the major delivery mechanism for threats in 2018.

Data Point No. 8: Rogue extensions and malicious apps appear in legitimate webstores

Browser-based security became even more important, as rogue apps and extensions fooled users and app stores alike, worming their way past security reviews in Google Play, iTunes and the official web stores for Chrome, Firefox, Safari and others with sneaky social engineering tactics.

Data Point No. 9: Attacks on websites steal user data

The criminal group Magecart was behind a series of high-profile attacks on ecommerce websites, stripping credit card information and other Personally Identifiable Information (PII) from payment platforms in plain text and in real time.

Data Point No. 10: Sextortion scams

Finally, major scams for the year capitalized on stale PII from breaches of old. Phishing emails were blasted out to millions of users in extortion (or in some cases, sextortion) attempts, flashing victims’ old, but potentially still viable, passwords and warning them that they’d expose their secrets if they didn’t pay up.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...