Despite the sudden spurt in malware and ransomware attacks across the globe, non-malware attacks were the weapons of choice for cyber criminals in 2017, researchers have revealed.
52% of all cyber attacks in 2017 were non-malware attacks despite ransomware attacks growing from being a £630 million industry in 2016 to a £3.7 billion one in 2017.
Researchers at the Carbon Black Threat Analysis Unit have revealed how ransomware attacks, along with malware and non-malware attacks, have created a ‘vast attack surface’ for hackers who are more creative and persistent than ever before.
According to the researchers, ransomware is now a £3.7 billion industry, offering hackers plenty of reasons to target technology companies, government organisations, critical infrastructure industries and legal firms with new and more destructive ransomware variants. The most common ransomware variants in use last year were Spora, CryptXXX/Exxroute, Locky, Cerber, and Genasom.
‘The dark web remains a veritable treasure trove for buyers and sellers. According to Carbon Black research, the dark web economy for ransomware is growing at a rate of 2,502% per year. Some sellers of ransomware are making more than $100,000 per year simply retailing ransomware. The ransomware economy is alive and well,’ they said.
At the same time, hackers utilised destructive malware families like Kryptik, Strictor, Nemucod, Emotet, and Skeeyah last year to target financial organisations, healthcare providers and retail stores with great success.
Despite the sudden and unrestricted arrival of new ransomware and malware families, the weapons of choice for hackers in 2017 were non-malware attacks that are also known as fileless attacks. According to Carbon Black, 52% of all cyber attacks conducted by hackers last year were non-malware attacks.
A non-malware attack or a fileless attack involves hackers gaining access to or taking control over vulnerable enterprise software without having to inject malicious files which can be detected by anti-malware solutions. By using this form of attack, a hacker can also control native operating system tools like PowerShell or Windows Management Instrumentation which will enable him to obtain necessary privileges to execute any command he likes.
Existing perimeter security solutions like firewalls, IDPS, antivirus, content filtering and anomaly detection that are deployed by several major organisations have so far been unable to detect or prevent non-malware attacks.
A major example of a non-malware attack was the NotPetya attack which affected operations at global firms like Danish shipping company Maersk, Russian oil giant Rosneft, aircraft manufacturer Antonov, US pharmaceutical giant Merck as well as its subsidiary Merck Sharp & Dohme (MSD) in the UK.
According to Carbon Black, the answer to sophisticated file-less attacks is streaming prevention. This mechanism not only monitors individual events on an endpoint, but also monitors and analyzes the relationships among events.
‘In contrast to legacy AV and machine-learning AV, streaming prevention monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorized requests to run applications, and changes to credentials or permission levels,’ the firm noted.
However, lack of knowledge about non-malware attacks and over-reliance on perimeter security solutions were the major reasons behind the success of non-malware attacks in 2017 which gave hackers another way of hacking into organisations without employing detectable malicious files.
In a survey conducted by the firm, 93% of security researchers admitted that non-malware attacks posed more of a business risk than commodity malware attacks, 64% researchers said that they had noticed a rise in non-malware attacks in 2017, and 96% said being able to prevent non-malware attacks would improve their organization’s security posture.
Commenting on the threat posed by non-malware attacks, security firm CrowdStrike noted that considering that a corporate network is as strong as its weakest link, organisations must ’employ investigative digital forensics experience combined with the real-time monitoring and detection capabilities that a next-gen endpoint detection and response (EDR) solution provides’.