McAfee Threats Report: June 2021

McAfee today released its McAfee Threats Report: June 2021, examining cybercriminal activity related to malware and the evolution of cyber threats in the first quarter of 2021.
McAfee report on ransomwareCyber adversaries shifted from low-return, mass-spread ransomware campaigns toward fewer, customized Ransomware-as-a-Service (RaaS) campaigns targeting larger, more lucrative organizations.

A proliferation in 64-bit CoinMiner applications drove the growth of cryptocurrency-generating coin mining malware by 117 percent.

A surge in the growth of new Mirai-based malware variants drove increases in malware targeting Internet of Things (55 percent) and Linux (38 percent) systems.

Ransomware

Ransomware declined by 50 percent in Q1 due in part to a shift by attackers from broad campaigns attacking many targets with the same samples to campaigns attacking fewer, larger targets with unique samples. Campaigns using one type of ransomware to infect and extort payments from many victims are notoriously “noisy” in that hundreds of thousands of systems will, in time, begin to recognize and block these attacks.

RaaS affiliate networks are allowing adversaries to minimize the risk of detection by large organizations’ cyber defenses and then paralyze and extort them for large ransomware payments. This shift is reflected by the decline in prominent ransomware family types from 19 in January 2021 to 9 in March 2021.

Despite the attacks from the DarkSide RaaS group exposed in Q2 2021, REvil was the most detected in Q1, followed by the RansomeXX, Ryuk, NetWalker, Thanos, MountLocker, WastedLocker, Conti, Maze and Babuk strains.

Coin Miner Malware

There was a 117 percent surge in the spread of cryptocurrency-generating coin mining malware due to a sharp spike in 64-bit CoinMiner applications.

Coin Miner malware infects compromised systems and silently produces cryptocurrency using those systems’ computing capacity for the criminals that designed and launched such campaigns. The advantage to cybercriminals is that there is zero interaction required of both the perpetrator and the victim.

Threats & Victims

The volume of new malware threats averaged 688 threats per minute, an increase of 40 threats per minute over Q4 2020.

A variety of new Mirai malware variants drove increases on the Internet of Things (IoT) and Linux malware categories in Q1. The Moobot family (a Mirai variant) was observed to be mass-spread and accounted for multiple Mirai variants. These variants all exploit vulnerabilities in IoT devices like DVRs, webcams and internet routers. Once exploited, the malware is hidden on the system, downloads later stages of the malware and connects with the command-and-control server (C2). When the compromised IoT devices are connected to their botnet, they can be commandeered to participate in DDoS attacks.

McAfee tracked a 54 percent increase in publicly reported cyber incidents targeting the technology sector during the first quarter of 2021. The Education and Financial/Insurance sectors followed with 46 percent and 41 percent increases respectively, whereas reported incidents in Wholesale/Retail and Public Sector declined by 76 percent and 39 percent respectively.

These incidents surged in 54 percent in Asia and 43 percent in Europe, but declined 13 percent in North America. While reported incidents actually declined 14 percent in the United States, these incidents grew 84 percent in France and 19 percent in the United Kingdom.