Stealthy sLoad Downloader Executes Massive Reconnaissance to Improve Quality of Infected Hosts

A latest PowerShell downloader has been detected – the sLoad downloader – which is being utilized in quiet, highly targeted attacks in the UK and Italy. The sLoad downloader executes a wide variety of checks to find out a lot of information concerning the system on which it lives, before selecting the most suitable malevolent payload to position – if a payload is positioned at all.

The sLoad downloader was first recognized in May 2018 when it was mainly being used to download the Ramnit banking Trojan, even though more lately it has been providing a much wider variety of malevolent payloads including Ursnif, PsiBot, DarkVNC, and Gootkit, as per safety scientists at Proofpoint who have been studying the danger.

The malware is assumed to be the work of a threat actor known as TA554 that Proofpoint has been tracing for over a year. sLoad is being used in greatly targeted attacks, mostly in the United Kingdom and Italy, even though the group also often targets Canadian companies.

sLoad is part of an increasing type of silent writings that are being developed to carry out silent attacks and improve the quality of infected hosts. Among the difficulties with infecting as many machines as possible is the attacks are loud and are quickly noticed, providing safety researchers plenty of time to study malware, add signatures to AV software, and develop repairs.

Although the spray and pray method of infecting as many end users as possible carries on, particularly by associates signed up to use ransomware-as-a-service, there has been a rising tendency over the last few months of a much quieter type of malware – Malware that stays under the detector for longer and goes to great lengths to discover more about a system prior to attacks are started.

Infection mainly happens through spam electronic mails, which are cautiously created, written in the targeted nation’s language, and contain tailored information such as the target’s name and address to add reliability. The most usual subjects and message subjects are missed package distributions and purchase orders, which are detailed in documents attached to the electronic mails. Hyperlinks are also utilized to connect to zip files having the documents. The documents have malevolent macros that start PowerShell writings, which download the sLoad downloader.

The threat group extensively utilizes geofencing at all points in the infection series. This limits infection to particular places as well as orders what actions are taken when a host is infected. This is specifically important when the final payload is a banking Trojan. Banking Trojans aim country-specific banks and use precise web injects for those attacks.

The sLoad downloader examines to define if specific safety procedures are running on a system, and will leave if those procedures are found. A list of all running procedures will be gathered and sent back to its C2 server together with details of Citrix-related .ICA files, Outlook files, and a wide variety of other system information. sLoad will also test browsing histories to decide whether the user has earlier visited banks that are being aimed and will report back on its findings.

If the infected appliance has been utilized to access a banking website that Ramnit is aiming, the banking Trojan will be downloaded, even though other malware variations can also be delivered depending on the information found during the reconnaissance stage.

“sLoad, like other downloaders we have described lately, fingerprints infected systems, letting threat actors better select objectives of interest for the payloads of their selection,” wrote Proofpoint. “Downloaders, although, like sLoad, Marap, and others, provide high levels of flexibility to threat actors, whether evading seller sandboxes, providing ransomware to a system that seems mission critical, or providing a banking Trojan to systems with the most likely return.”

Zero-Day Windows Data Sharing Facility Weakness Discovered

A Windows zero-day weakness has been discovered that lets hackers erase application dlls and cause a system to crash and possibly hijack systems. The weakness lets an attacker elevate rights and erase files that must only be accessible by management and takes benefit of a Windows facility that fails to verify approvals.

That facility, the Windows Data Sharing Facility – dssvc.dll, was launched in Windows 10, hence earlier Windows types are unaffected, even though the fault is also existing in Windows Server 2016 and Server 2019.

In order to abuse the Windows Data Sharing Service weakness, the attacker would already require access to the system, so for the fault to be distantly exploitable it would need to be merged with one more exploit. This would restrict the possibility for it to be used in an attack.

Although it’s possible to abuse the weakness to run commands on a system, the most likely use is disruption, because it permits files to be erased which would render applications or systems unworkable.

The Windows Data Sharing Facility weakness was detected by safety scientist SandboxEscaper. SandboxEscaper also recently issued a proof-of-concept for a zero-day weakness in Windows Task Scheduler, which was later adopted by a variety of threat actors and utilized in real-world attacks.

Although the fault is similar to the earlier discovered weakness, in the sense that it lets non-admins erase files as a consequence of a Windows facility failing to verify permissions, this weakness is much more difficult to abuse. SandboxEscaper clarified in an October 23 Tweet that it’s “a low-quality bug that is a pain to exploit.”

SandboxEscaper wrote, “Not the same bug I sent a while ago, this does not write garbage to files but really erases them… meaning you can erase application dll’s and hope they go look for them in user write-able places. Or erase stuff used by system services c:\windows\temp and hijack them.”

Mijja Kolsek, a co-founder of 0Patch, has verified the PoC works and 0Patch team has already issued a micropatch to rectify the “Deletebug” fault. The micropatch was developed within 7 hours of publication of the PoC. The repair will be automatically applied for users of the 0Patch Agent and is obtainable for others through 0Patch.com.

Microsoft is expected to deliver a solution to the fault.

Activities Issued for LibSSH Weakness: Immediate Repairing Required

A lately discovered LibSSH weakness, that has been called as ‘comically bad’ by the safety scientist who found it, has been repaired. The fault is extremely easy to abuse. Obviously, different scripts and tools have been published that permit weak apparatuses to be found and the fault to be abused.

If the LibSSH weakness is abused, which needs little expertise even without one of the published scripts, it would let an attacker start an attack and distantly execute code on a weak system.

The LibSSH weakness, which would allow anybody to login to a weak Linux/Unix server without having to provide a password, is as bad as it gets. The fault was found by Peter Winter-Smith of NCC Group, who found that verification can be avoided by sending an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message. The server is expecting an SSH2_MSG_USERAUTH_REQUEST message but will suppose that verification has successfully taken place if the SSH2_MSG_USERAUTH_SUCCESS message is sent in its place.

As per the latest safety advisory published by LibSSH, “The SSH2_MSG_USERAUTH_SUCCESS handler is planned only for communication from the server to the customer.”

The weakness is being followed as CVE-2018-10933 and is present in LibSSH types 0.6 and later. The fault has been patched in types 0.8.4 and 0.7.6.

Even though the fault is trivial to abuse, it is even easier using the scripts that have been issued. Leap Security has issued a script that searches for weak appliances, and there are quite a lot of available that will abuse the weakness and permit any code to be run with absolutely no skill needed.

Although the fault is of high-severity, luckily only a small number of appliances are weak. Anybody running a weak version must repair instantly. Failure to repair will almost certainly see the appliance compromised.

Modern Phishing Attack Introduces Malware into Present Email Conversation Threads

A new sophisticated phishing method has been recognized that includes a malevolent actor gaining access to an electronic mail account, observing a conversation thread, and then putting in malware in a response to a continuing discussion.

The cheat is a variation of a Business Email Compromise (BEC) attack. BEC attacks usually involve using a compromised electronic mail account to transmit messages to accounts or payroll workers to get them to make fake bank transfers to accounts managed by the attacker.

In this instance, the purpose is to fit a banking Trojan named Ursnif. Ursnif is among the most usually used banking Trojans and is a variation of Gozi malware. Ursnif not only steals information via web injection but also downloads and fits the Tor client and links to the Tor network for communication with its C2 servers. Once installed, the malware hunts for and steals electronic mail identifications, cookies and credentials.

The attacks have so far been focused in Europe and North America, chiefly on companies in the power sector, fiscal services, and education, even though the attacks are far from confined to those regions and verticals.

In order to carry out this campaign, the attacker has to first gain access to an electronic mail account, which might be accomplished through a normal phishing cheat or buying breached identifications through darknet marketplaces.

Contrary to most phishing cheats which include an out-of-the-blue message, this attack method is expected to have a much higher success ratio because the messages are part of a continuing conversation. As the messages come from inside a company and are transmitted from a real account and involve no deceiving of electronic mail addresses, they can be difficult to recognize.

Recognizing a fake reply to a continuing conversation needs watchfulness on the part of workers. There are likely to be differences in the electronic mails, such as a modification in the language used in the electronic mails, strange replies that are more general than would be expected and out of keeping with the chat, changes to electronic mail signatures or, in the case of one campaign in Canada, an abrupt change from French to English.

The cheat was disclosed by scientists at Trend Micro who noted a similarity with a campaign recognized by the Cisco Talos team that spread Gozi malware and involved computers that had earlier been hijacked and were part of the Dark Cloud botnet. Trend Micro proposes that the latest campaigns might be a growth of the group’s attack method.

The campaign utilizes Word attachments having malevolent PowerShell code which downloads the latest type of Ursnif. Trend Micro considers the messages are dispatched from the US and notes that the malware will only run on Windows Vista and above and will not infect users in China or Russia.

The campaign demonstrates how advanced phishing attacks are becoming, and that the usual cybersecurity best practice of never opening attachments or clicking links in electronic mails from strange senders is not adequate to avoid malware from being installed.

Microsoft Tackles 49 Faults Including One Actively Exploited Weakness

Almost 50 weaknesses have been repaired by Microsoft on October Patch Tuesday including one zero-day weakness that is being actively abused in the wild by the FruityArmor APT group.

The zero-day (CVE-2018-8453) is connected to the Win32k part of Windows and is an elevation-of-privilege weakness found by Kaspersky Lab. If abused, a threat actor might run random code in kernel mode and might create new accounts, install programs, or access, modify or erase data. The fault is present in all supported types of Windows and Windows Server 2008, 2012, 2016 and 2019.

The FruityArmor threat group is based in the Middle East, which is where the attacks have so far been aimed. The group is famous for utilizing zero-day faults for its attacks and has been aiming older type of Windows, even though Microsoft has alerted that the weakness might let attacks on the latest Windows types.

Kaspersky Lab notices that two years before, on October Patch Tuesday 2016, Microsoft also repaired a fault that was being actively abused by the FruityArmor group – CVE-2016-3393. Kaspersky Lab will announce more details of the fault this week.

Altogether 49 weaknesses have been repaired, 12 of which have been ranked critical. One of those critical weaknesses, CVE-2010-3190 is eight years old and has been repaired several times over the past eight years. The latest repair tackles the weakness in Exchange Server 2016. If abused, it would let an attacker take complete control of a weak system. The other critical repairs affect the Internet Explorer and Edge browsers, Hyper-V, and XML Core Facilities.

The latest repairs also tackle three weaknesses that were publicly revealed before repairs being released: A fault in the JET Database engine, Azure IOT, and Windows kernel. The patch for the JET Database Engine fault is specifically important, as last month sample exploit code was also circulated together with details of the weakness. As a consequence, companies were exposed for numerous weeks. It was a similar tale in August when a weakness and proof of concept code was circulated online for a weakness in Windows task scheduler which also left Windows users defenseless.

Most of the other patches in this round of updates were for Windows 10, the Edge browser, and connected Server types.

Adobe has also publicized patches this week, which tackle 16 weaknesses including four critical faults in Adobe Digital Edition. The critical faults allow distant code implementation, three of which are heap-overflow faults and one is a use-after-free weakness.

Phishers Using Azure Blog Storage to Host Phishing Forms with Legal Microsoft SSL License

Cybercriminals are utilizing Microsoft Azure Blog storage to host phishing forms. The site hosting the malevolent files has an authentic Microsoft SSL license which adds genuineness to the campaign. Similar methods have been used in the past for Dropbox phishing cheats and attacks that mimic other cloud storage platforms.

A usual phishing situation involves an electronic mail being transmitted with a button or hyperlink that the user is requested to tick to access a cloud-hosted file. When the link is clicked they are led to a website where they are needed to enter login identifications – Such as Office 365 identifications – to retrieve the file.

At this stage, the scam often falls down. Oftentimes the webpage that is visited seems strange, doesn’t begin with HTTPS, or the site has an illegal SSL certificate. Although visiting such a domain a large red flag will be raised. Nevertheless, if the user visits a usual looking domain and the SSL credential is legal and has been allotted to a trustworthy brand, the possibility of the user continuing and entering login identifications is far higher.

That is precisely the case with Azure blog storage. Although the domain might seem unknown, it’s a legal Windows domain finishing with .blob.core.windows.net and is safe with an SSL credential. An additional check will disclose that the certificate is legal and has been issued by Microsoft IT TLS CA 5. A genuine-looking Office 365 login form will emerge and identifications will need to be entered to get access to the document – electronic mail and password. This is likely to appear entirely reasonable since the user is retrieving a Microsoft document hosted on a Microsoft site.

Nevertheless, entering in identifications into the login box will see that information transmitted to a server managed by the attackers. The user will be informed that the document is being opened, even though they will be guided to a different Microsoft site. Although this is a red flag, by this time it is too late as the user’s identifications have already been thieved.

In this instance, it was Office 365 identifications that the attackers were trying to get, although the scam might similarly be conducted to get Azure identifications or other Microsoft logins.

Avoiding email-based phishing attacks is easiest with anti-phishing controls to safeguard the electronic mail gateway and avoid messages from reaching inboxes. An advanced spam filtering solution will make sure that the bulk of electronic mails are obstructed. Office 365 users must strongly consider extending Microsoft Office 365 with a third-party spam filter for better safety.

No anti-phishing solution will avoid all phishing electronic mails from reaching inboxes, so it is crucial for workers to be taught safety best practices and to get specific anti-phishing training. Besides providing training on the most common phishing cheats, it is important for end users to be educated on phishing cheats that misuse cloud facilities and object store URLs to make sure cheats like this can be recognized as such.

Cofense Study Discloses Extensive Misuse of Zoho Email by Keyloggers

Latest research from Cofense has shown there has been a substantial increase in keylogger activity in 2018 which backs up research carried out by Microsoft that indicated the revival of a keylogger known as Hawkeye.

Keyloggers are information-stealing malware that record keystrokes on a computer and other input from human interface devices (HUDs) such as microphones and webcams. A lot of modern keyloggers are also capable to copy information from the clipboard and take screenshots. Their purpose is to get login identifications, passwords, and other confidential information.

That information is recorded but should then be transmitted back to the attackers without being noticed. There are different methods that can be used to get the thieved data. The information can be conveyed to an IP, Domain, or URL, but one of the most usual ways keyloggers exfiltrate data is through electronic mail.

The people that use keyloggers register free electronic mail accounts to receive the thieved information, and Cofense has found that the biggest single electronic mail provider used to get keylogger data is Zoho, the Indian supplier of online office suite software. After reviewing the terminus of information thieved by keyloggers, Cofense found that 39% of electronic mails went to Zoho accounts, compared to 7% that were sent to Yandex accounts, the second most usually misused electronic mail platform.

The purpose why keyloggers are using Zoho is not abundantly obvious, even though Cofense scientists propose it is the lack of safety controls that make the electronic mail facility popular. For example, 2-factor verification is available for Zoho electronic mail accounts, but it is not compulsory. Electronic mail accounts can be opened free of charge and there are comparatively few controls over who can open an account. Cofense notes that the account registration procedure would be easy to automate with an easy script and that there is no requirement to use a mobile phone for confirmation.

The statement is more bad news for Zoho, which was lately provisionally taken offline by its registrar after reports that one of its facilities was being exploited and used for phishing producing an outage for its 30 million+ users.

Zoho has now replied to the report and has declared that it is taking measures to avoid misuse of its electronic mail facility and will soon need all new accounts to include a mobile phone number for confirmation, including its free accounts. Zoho will also boost its efforts to check outgoing SMTP and will be looking for doubtful login patterns and will stop users who seem to be misusing its facility.

“We are also narrowing our rules for all users. We have lately reviewed and improved our policy around SPF (sender policy framework) and applied DKIM (domain key identified mail) for our domain. This will bring about a solid DMARC policy that we will also publish,” said Sridhar Vembu, creator and CEO of Zoho.

Vembu also clarified that it’s not the only cloud facility supplier that is aimed in this way, “ Unluckily, phishing has become one of the bad side-effects of Zoho’s fast progress, particularly the progress of our mail facility. Since Zoho Mail offers the most generous free accounts, this gets worsened as more malevolent actors take benefit of this huge customer value. However, we are clamping down on this severely.”

 

Continuing New LoJax Rootkit Survives Hard Disk Substitution

Oct 7, 2018

 

Security researchers at ESET have recognized a new rootkit that takes perseverance to a whole new level. As soon as infected, the LoJax rootkit will remain working on an appliance even if the operating system is reinstalled or the hard drive is reformatted or substituted.

Rootkits are malevolent code that is used to provide an attacker with continuous administrator access to an infected appliance. They are tough to notice and subsequently, they can remain active on an appliance for long periods, permitting cybercriminals to access an infected appliance at will, thieve information, or infect the appliance with more malware variations.

Although reformatting a hard drive and reinstalling the operating system can typically remove a malware infection, that is not the case for the LoJax rootkit because it compromises the Unified Extensible Firmware Interface (UEFI) – The interface between the firmware of an appliance and its operating system. The UEFI runs pre-boot apps and manages the booting of the operating system. As the LoJax rootkit continues in Flash memory, even substituting a hard drive will have no effect.

The LoJax rootkit may not be noticed as most antivirus programs don’t check the UEFI for malware. Even if the rootkit is noticed, removing it is far from straightforward. Removal needs the firmware to be flashed.

A lot of cybersecurity experts consider these UEFI rootkits to theoretical instead of actively being used in real-world attacks, as ESET remarks in a fresh blog post. “UEFI rootkits are generally seen as extremely risky tools for executing cyberattacks. No UEFI rootkit has ever been noticed in the wild – until we discovered a campaign that effectively positioned a malevolent UEFI module on a victim’s system.” The rootkit was fitted by a threat group known as Fancy Bear, a cyberespionage group supposed to have strong connections to the Russian military intelligence organization, GRU.

LoJax is not, in itself, an information taker. It is a backdoor that permits a system to be retrieved at will for spying purposes, data thievery, or for the fitting of malware. It can also permit an infected appliance to be followed geographically.

What is vague is how the attackers gained access to the device to fit the rootkit. ESET considers the most likely way that was reached was with a spear phishing electronic mail. As soon as access to the appliance was achieved, the UEFI memory was read, an image was generated, then changed, and the firmware was substituted with the rootkit fitted. The rootkit was fitted on an older appliance which had several other kinds of malware fitted. More modern appliances have controls in place to avoid such attacks – Secure Boot for example.  However, that doesn’t necessarily imply they are protected.

“Companies must study the Secure Boot construction on their hardware and make certain they are constructed properly to avoid illegal access to the firmware memory,” wrote safety intelligence team lead at ESET, Alexis Dorais-Joncas. “They also require to think about controls for noticing malware at the UEFI/BIOS level.”

Enhanced Distant Desktop Protocol Attacks Prompts IC3 to Issue Alert

Oct 6, 2018

 

The FBI’s Internet Crime Complaint Center (IC3) has released a warning to companies concerning the misuse of distant administration tools such as Remote Desktop Procedure. The warning was prompted by a substantial increase in attacks and darknet marketplaces vending RDP access.

Remote Desktop Protocol was first launched into Windows in 1996 and has proven to be a valuable tool. It allows workers to connect to their office computer distantly and IT divisions to access computers to fit software or provide help.  When connected through RDP, it’s possible to gain access to the Desktop, convey mouse and keyboard commands, and distantly take complete control of a computer.

Obviously, RDP has been an attractive aim for hackers who use it to steal data, download malevolent software, fit backdoors, or even damage computers.

Every now and then, weaknesses are recognized in RDP which can be abused by hackers, therefore it is important to make sure systems are completely patched and modern. Nevertheless, attacks happen by getting login identifications. This is typically achieved through brute force attacks to predict weak passwords. Several possible password and username blends are tried until the right one is predicted.

Passwords can also be obtained via man-in-the-middle attacks, such as when workers login to their work computers through RDP on public WiFi hotspots. Several businesses leave RDP ports open and accessible over the Internet (port 3839 particularly) which makes it much easier for RDP to be hacked.

Latest attacks have seen cybercriminals gain access through RDP and steal data or fit ransomware, with the latter particularly common. The threat actors behind SamSam ransomware mainly use RDP to gain access to business computers to fit ransomware.  This method has also been used to disperse ransomware variations such as CrySiS, ACCDFISA, CryptON, Rapid, Globelmposter, Brrr, Gamma, Monro and a lot more.

IC3 has advised all companies to carry out an audit to decide which appliances have RDP enabled, including cloud-based virtual machines, and to disable RDP if it’s not needed. If RDP is essential, strong passwords should be set, 2FA used, and rate limiting must be applied to obstruct IPs that have made too many failed attempts to login. Patches must be applied quickly to make sure weaknesses cannot be abused.

Companies must make sure that the RDP connection is not open to the Internet and is only accessible through an internal network or using a VPN to contact it through the firewall. Obviously, strong passwords must also be used for the VPN and the latest type of VPN software used.

Since RDP is frequently used to fit ransomware, it is vital to regularly back up data and to test standbys to make sure files can be recovered in the event of a tragedy.

Danabot Banking Trojan Utilized in U.S. Campaign

The DanaBot banking Trojan was first noticed by safety scientists at Proofpoint in May 2018. It was being utilized in a single campaign aiming clients of Australian Banks. More campaigns were later noticed aiming clients of European banks, and nowadays the attacks have shifted beyond the Atlantic and U.S. banks are being aimed.

Banking Trojans are the main danger. Proofpoint notices that they now account for 60% of all malware transmitted through electronic mail. The DanaBot banking Trojan is being dispersed through spam electronic mail, with the malevolent messages having an inserted hyperlink to websites hosting a Word document with a malevolent macro. If permitted to run it will introduce a PowerShell command which downloads DanaBot.

The DanaBot Trojan thieves identifications for online bank accounts via a blend of banking site web injections, keylogging, taking screenshots and seizing form data. The malware is written in Delphi and is modular and is able of downloading additional parts.

Proofpoint notices that the campaigns it has noticed use different IDs in their server communications which indicate that several people are carrying out campaigns, most probably through a malware-as-a-service offering. So far, nine different IDs have been recognized which indicates nine people are carrying out campaigns. Each actor aims a particular geographical area aside from in Australia where there are two people carrying out campaigns.

The latest campaign aiming at U.S bank clients is also being conducted through spam electronic mail and similarly links to a Word document with a malevolent macro. The spam electronic mails interrupted by Proofpoint spoof eFax messages, and are complete with proper branding. The electronic mails assert the Word document has a 3-page fax transmission.

Enabling the macro will result in Hancitor being downloaded, which in turn will download the DanaBot banking Trojan and other information stealing malware. A number of U.S banks are being aimed including Wells Fargo, Bank of America, TD Bank, and JP Morgan Chase.

Proofpoint has recognized similarities with other malware families proposing it the work of the group behind CryptXXX and Reveton. “This family started with ransomware, to which stealer functionality was added in Reveton. The evolution carried on with CryptXXX ransomware and now with a banking Trojan with Stealer and distant access functionality included in DanaBot.”

Q2, 2018 Saw an 86% Increase in Cryptocurrency Mining Malware Findings

2018 has proven to be the year of cryptocurrency mining malware. Cybercriminals are gradually discarding other types of malware and ransomware in support of malware capable of hijacking computers and mining cryptocurrency.

Mining cryptocurrency needs computers to solve the difficult problems necessary to confirm cryptocurrency dealings and add them to the blockchain account book. That needs substantial processing power and takes time. In exchange for carrying out the service, the miner that resolves the problem is compensated with a small amount of cryptocurrency. In order for this to be lucrative, substantial computer processing power is needed. That can be accomplished in two ways. Purchasing the hardware or hijacking other people’s computers.

The high value of cryptocurrencies makes mining an attractive possibility, particularly if a cybercriminal can hire an army of computers to carry out the processing. One computer can earn a few dollars a day. 10,000 computers infected with cryptocurrency mining malware makes this a very lucrative operation. That fact has not been lost on cybercriminals.

2018 has seen a huge increase in the use of cryptocurrency mining malware. In the first quarter of 2018, McAfee informs there was a 629% increase in the number of cryptocurrency mining malware samples it interrupted. That rising tendency has continued all through Q2. As per the September McAfee Threat Statement, there was an additional 86% rise in identified cryptocurrency mining malware samples in Q2.

“Using cryptomining malware is simpler, more straightforward, and less dangerous than conventional cybercrime activities – causing these schemes to rise steeply in fame over the last few months. Actually, cryptomining malware has rapidly developed as a main player on the danger landscape,” said Raj Samani, chief scientist at McAfee.

Although PCs are most usually targeted, cybercriminals have now split out and are also using other Internet-connected appliances to mine cryptocurrency, including Android smartphones. These appliances have much lower processing power than PCs, however since they are comparatively easy to capture, the sheer number of appliances that can be infected more than makes up for their low processing power.

There has also been the main increase in the use of malware that abuse software weaknesses. These kinds of malware rose by 151% in Q2, 2018. “WannaCry and NotPetya provided cybercriminals convincing instances of how malware might use weakness exploits to gain a footing on systems and after that rapidly spread across networks,” said Christiaan Beek, Lead Scientist and Senior Principal Engineer at McAfee. A lot of malware variations have been created that impersonate WannaCry and NotPetya.

The McAfee report also demonstrates there was 57% growth in ransomware samples in the previous year, and although use is still increasing, reputation is decreasing with just 27% increase seen in Q2, 2018.