Ransomware Sees Further Decline, Banking Trojan Use Steps Up

Ransomware accounted for one tenth of 1% of all malicious email content in Q4, according to a new threat report from Proofpoint.

It’s Q4 threat report found that banking trojans accounted for 56% of all malicious payloads in email in Q4, while remote access trojans (RATs) accounted for 8.4%. Proofpoint claimed that this marked a “significant change” for RATs, as in previous years they were rarely used by attackers.

The report stated that email remains the top vector for malware distribution and phishing, while email fraud, also known as business email compromise (BEC), continues to grow rapidly.

Ransomware message volumes dropped significantly from Q2 to Q4 “suggesting that ransomware campaigns did not generate sufficient returns for threat actors to continue distributing them at scale.”

Speaking to the Risky Business podcast in November, Sherrod DeGrippo, Proofpoint’s director of threat research and detection, said that ransomware “has basically evaporated” after it was in the headlines for many months.

“I probably attribute that to the fact that cryptocurrency is so difficult for the average consumer to use, and what we’ve seen instead is, back to cryptocurrency, they are bolting on crypto-miners to just about everything: commodity banking trojans, commodity RATs and keyloggers and pretty basic crimeware stuff,” she said.

“We’re starting to see banking trojans have crypto-miners bolted on to them so they steal the money from the traditional bank account and then leave the crypto-miner behind.”

In an email to Infosecurity, Ed Tucker, CISO and co-founder of Email Auth, Byte and Human Firewall, said that this research highlights that ransomware is actually less of a prevalent threat both to the individual and business, and criminals know that trojans work.

“They have been thoroughly road tested with a widespread user base to great reward,” he explained. “Ransomware still has an issue in terms of the duped user needing a certain amount of literacy in payment terms in order to make this as financially successful as its trojan cousin.”

During Q4 of 2018, Proofpoint observed over twice as many URL messages as attachment messages. “For the entire year, malicious URLs appeared over three-times as often as messages with malicious attachments, suggesting that the pendulum may be swinging back toward attachments as it tends to do periodically,” the report claimed.

It also claimed that banking trojans, stealers and downloaders together accounted for over 90% of all initial payloads in Q4. In particular, the Emotet banking trojan, which was described by US-CERT as “among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors” was named as the main threat.

Emotet uses PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC as a disguise, and initial infection occurs when a user opens or clicks the malicious download link, PDF or macro-enabled Microsoft Word document included in the email.

Proofpoint said: “Taken together, Emotet, Panda Banker, and Ursnif comprised almost 97% of observed banking trojans in Q4.”

Tucker added: “Research such as this, more than ever, emphasizes that businesses should use evidence-based risk approaches from which to make informed decisions. This naturally incorporates a clear view of an actual threat, albeit in most cases that threat will be widespread and sporadic.

“Ransomware has been, and remains, just another factor within the overall risk management framework regardless of the hysteria that has surrounded it.”