You can dive into the full report by downloading it here, or keep reading for a sneak peek below.
3 trends that help explain WannaCry, NotPetya, and attacks that came after
When we set out to create the 2017 Malware Trends Report our goal was to paint a bigger picture of how malware has evolved in 2017. And we figured what better place to start than with the two global outbreaks that dominated the summer?
For all the well-warrented attention WannaCry and NotPetya generated, it's important to keep in mind these attacks didn't come out of nowhere. Various key components of the attacks that made them successful had appeared in previous campaigns, and have continued to gain traction following the outbreaks.
By viewing these common elements in the context of their wider adoption throughout 2017, we can see that three key trends emerge:
Trend #1: Infections have gone "clickless"
Attacks are bypassing user interaction altogether thanks to the use of remote execution exploits (like EternalBlue) and Remote Desktop Protocal (RDP) brute force attacks.
Trend #2: More and more attackers are "living off the land"
Attackers are avoiding detection by abusing otherwise legitimate system tools and processes rather than dropping malicious files on disk.
Trend #3: Worm capabilities are seeing a resurgence
More attacks have components designed to help infections spread further, faster.
Heading into the final quarter of 2017, companies need to be prepared to encounter and protect themselves from these dangerous trends with increasing frequency.
You'll find more detailed breakdowns of each trend — including specific attack examples and tips for defending against them — by downloading the full report.
2017 malware trends timeline
It’s not uncommon for advanced tools and techniques developed by targeted attack groups to eventually find their way downstream. Once in the hands of average cyber criminals, they typically get adapted for more widespread campaigns. But this year, that process was accelerated when the Shadow Brokers hacking group leaked a collection of exploits purportedly developed by the NSA, setting the stage for all the attacks that would later utilize them.
By packaging two of these leaked exploits (EternalBlue and DoublePulsar) together with a worm component, the attackers behind WannaCry were able to revamp what had previously been an unsuccessful, run-of-the-mill ransomware variant and launch the largest ransomware outbreak of all time.
A month later, NotPetya built on WannaCry’s success, combining the use of EternalBlue with the abuse of otherwise legitimate system tools PsExec and WMIC, enabling the malware to spread deeper inside infected networks, even if devices were patched. Clearly noticing these attacks were onto something, it wasn’t long before several banking trojans (including Emotet) and other ransomware variants (including Sorebrect) were seen adding similar worm capabilities and techniques, as well.
Throughout 2017, we’ve also seen increased focus on using Remote Desktop Protocol (RDP) as an infection vector and subsequent path for spreading malware. These attacks typically involve brute-force attempts to crack weak passwords to gain access to remote devices.
By leveraging various combinations of tactics previously only used by advanced nation-state actors, today's common cyber criminals are creating infections that are more difficult to block, detect, and contain. Companies need to ensure their security is keeping pace with these evolutions in malware, and a great first step is learning about them in more detail.