Chris Sienko: Welcome to another episode of Cyber Work with Infosec, the weekly podcast where industry thought leaders share their knowledge and experiences in order to keep us all one step ahead of the bad guys. Adam Kujawa is the director of Malwarebytes Labs. He and his team compiled the Malwarebytes Cybercrime Tactics and Techniques report. The report was released to the public on April 25, 2019.
Among the findings in the world of ransomware, consumer detections dropped 10%, while business ransomware detections were up 200% over the previous quarter and over 500% more than this time last year. Trojan malware has gone up over 200% from the previous quarter and almost 650% from the same time last year. Meanwhile, crypto mining is essentially extinct with consumers, but business focus miners have increased from the previous quarter. Whether individuals have tightened up their defense posture or cyber criminals have learned to focus on the more lucrative targets, the report is unlikely to make companies very happy in 2019. Today we’re going to take a deeper look at the reports findings and see if we can find out how the findings will affect the cybersecurity industry as a whole and in the years to come.
Adam Kujawa is the director of Malwarebytes Labs with over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic, he has spent time analyzing threats of an APT state-sponsored nature as well as threats to consumers for both government and private industry. In addition to research and analysis, he has provided conference talks and developed technical courses on topics from basic to advanced malware analysis, malware evolution, and threat intelligence. Adam, thank you so much for being here today.
Adam Kujawa: Thanks a lot Chris, thanks for having me.
Chris: So to start at the very beginning, how long have you been working with Malwarebytes, and before that, when did you get interested in cybersecurity?
Adam: I’ve been interested in cybersecurity either in one aspect or another since I was a kid basically.
Adam: I wanted to get all those hacking exposed books and be like the characters in a hackers movie, and my dad worked in IT. So as I grew up, kind of learned about systems, and developing them, and securing them, and then when I left for the military actually got really into cybersecurity. And so I’ve been with Malwarebytes now for over seven years.
Chris: Wow, do you still find yourself having to learn new skills? Are you still sort of trying to find new solutions and especially learning new soft and hard skills? Something like that?
Adam: Oh yeah, absolutely. Yeah. I’ve never had to constantly learn new things as often as I have working in this industry.
Adam: Because the bad guys, they always change things up.
Adam: They decide to go a different avenue of how to infect someone, so you have to learn about that avenue or learn how this particular malware works. And they’re constantly evolving their attacks, so it’s a constant. You never stop learning basically.
Chris: So since part of the focus of this show is people who are interested in cybersecurity from a job and career perspective, what are you think some of the soft and hard skills that have been most helpful to you in this role?
Adam: Well, one thing, there’s a lot of people out there who are technical. There’s a lot of people out there who are nontechnical. If you’re able to find somewhere in between where you can do technical analysis work, if you can contribute to in intelligence work and investigations, and then also be able to put that in terms that normal people understand, or not even just normal people but C-level executives or customers or things like that, then that’s a really valuable skill in this industry. I can tell you that personally.
Chris: So let’s move to the Malwarebytes report here. How was the data compiled, and how long have you been compiling data and crunching the numbers for this?
Adam: Well, I’m losing count of how many times we’ve done this report, but every quarter we do this report since basically the beginning of 2016. And we compile the data, it’s basically telemetry from our end points throughout the world. We compile those for our business customers, for our consumer customers, where they’re located, identify trends and stuff, and we take that, we combine it with what we’ve seen from our honeypots and our systems that collect malware automatically, and then we also kind of run that through our own analysts and our researchers and their experience and what they saw and create a narrative around that. So the whole point of the report is just to identify trends and be able to try to see what’s coming next.
Chris: Yeah, so going back to job functions and stuff, what members of your team actually do the work of compiling the data? What sorts of positions within your company are in charge of all this data and making it into something usable for the public?
Adam: Yeah, well big data is a big part of cybersecurity these days because of so much malware. You’ve got tons of information from logs and everything else. So we have our own dedicated data science department, and those guys, their whole job is to make sure that we get all the data that we need from our telemetry and are able to present it to the rest of the company in a way that makes sense. I work with them very closely because you could see the stats, and they’ll come talk to me and say, “Have you seen this? Does this look legit?” I’m like, “Yeah, let’s investigate that further.” So it’s a really cool relationship, but that is becoming more and more in demand in this industry is knowing how to do big data, data analysis, and things like that.
Chris: So of the many changes that came up in the report compared to last year, and there’s some really surprising numbers, which finding did you find the most troubling and why?
Adam: The fact that we see such a huge shift toward business infections is pretty troubling to me. Seeing a decline in the consumer side of detections, which also is something I’ve never really seen before. Of all the years that I’ve been working with Malwarebytes, I’ve only seen our detections of consumer malware go up and up and up every year. So seeing this kind of drastic shift in the intent and the tactics and techniques of cyber criminals is definitely alarming. It’s far more of a jump than I think we would normally expect from cybercriminals, but this happens every once in a while. You’ll have a bunch of really kind of cheap or copycat malware, and then every couple years, someone comes along with something that changes the whole game.
Chris: Wow, so let’s start with the consumer stats. A cursory read of the report suggests that consumers are not as extensively targeted as companies, and that ransomware against individuals was down 33%. Like you said, this is really surprising number, but what do you attribute these changes to? Can you sort of extrapolate from the data what’s going on there?
Adam: So there’s a bunch of new families out there that are, well not new families, they’re old families like Emotet and TrickBot, that have added new functionality. Basically the same exploit capability of WannaCry and NotPetya, those stolen NSA exploits EternalBlue, EternalRomance. So we see those being included in a lot of kind of evolving malware families, and this makes it possible. Whereas prior they were just focusing on a single consumer trying to get information, steal it from them, now they want to try and lay it on a corporate network because from there they can utilize these exploits, they can utilize a brute forcing of credentials to start laterally moving across the network and basically having a whole lot more systems infected than you would previously. So we’ve seen this happen basically since about mid-last year. These tactics being utilized more and more. We’ve seen ransomware being dropped by these families, like the Ryuk Ransomware that was pretty popular late last year.
And so seeing that that shift overall shows a better return on investment for the cybercriminals, and at the end of the day when you have a question about would cybercriminals do this, say, “Is it worth it to them to do it? Is it worth the money?” You know?
Adam: So being able to infect a large corporate network versus somebody’s grandma obviously bigger return on investment. You can get the access to user data from multiple users, you could steal IP information if you want, or you could just ransom it if you feel like it when you’re done with everything. So ransomware, kind of the same boat, where we’ve seen ransomware families like SamSam and Ryuk and earlier this year, actually two months ago, the Troldesh Ransomware, and we wrote about in the report, but it had a pretty big campaign against businesses in the beginning of the year. So we also see that the ransomware targeting businesses do get usually a bigger payout or something at all. If you infect or rather encrypt the files of one person, then they could just wipe it, or they have backups or something like that. But a larger organization which has the pressure of regulations, of data privacy laws that are coming out, are far more likely to say, “Okay, we’ll pay you something,” rather than nothing at all.
Chris: Yeah, yeah. So first all, before we jump into that, that’s a huge topic right there, but to ensure that consumers and individuals don’t get too complacent, are there any troubling stats within the report that indicate that individual users still need to remain vigilant? Are there still big threats? Obviously it went down, but it didn’t go to zero, so-
Adam: No, no it didn’t. No, what the criminals on the consumer side are really doubling down on is kind of a tried true method of advertising pushing. You see lots and lots of adware and on multiple platforms as well. We see an increase in adware for both mobile and Mac devices, and this adware, obviously adware doesn’t sound like the most horrible thing in the world. But when you realize what it’s doing to your system and the potential danger it puts you in by pushing advertisements to you or redirecting your search to some other search engine, those things could be loaded up with exploit kit scripts. They could really do a lot of damage. And in fact we saw during what I like to call the crypto mining craze, which was about October 2017 to about June 2018, where pretty much all malware distribution we saw was related to crypto mining in some way.
A lot of adware families that we’d seen in the past were dropping crypto miners on systems. So like I said, these things are pretty dangerous, and of course there’s still ransomware that we do see. There’s a family called GandCrab, which was more prominent last year, we haven’t seen a lot of activity coming from it this year so far. Considering it evolved like seven times last year and actually does really good encryption correctly, is a very dangerous piece of malware, I would be surprised if we didn’t see it again this year and probably in greater numbers, and that has almost exclusively gone after consumers. So we’re not completely out of the fire here.
Chris: Yeah, yeah, that’s just something to remind our listeners obviously. The enormous rise of Trojan malware in recent times, like you said, it’s up 200% from last quarter and 650% from this time last year. It clearly suggests that this is the new preferred method of transport for malware. You mentioned a little bit about the rise of the different sort of malware families and [inaudible 00:11:08] families, but what do you think triggered this huge jump? Do you think it really is just more attractive targets or was there sort of a jump in number of hackers or availability of certain softwares?
Adam: Yeah, well, I mean the 650, obviously a huge, huge, huge number, but also consider the fact that back this time last year we were dealing with lots and lots and lots of crypto miners. So that number does make sense.
Chris: Okay, they’re just changing their focus a little bit then.
Chris: They’re changing their focus a little bit then?
Adam: Yes, yes, absolutely. So yeah, the move toward businesses, the move toward more transport malware, like you said, or information stealers. Some theories we have are that with laws like GDPR and I think California’s got their own privacy law, a lot of places are doing this, so we expect that data’s going to be a bit more difficult to get your hands on if you’re a cyber criminal. And data does have an expiration date, it’s credit card numbers, addresses, things like that.
So yeah, we think that it’s kind of a push toward making sure that they can get information or access to information if they need it to sell it on the black market. But also it just seems to be a big push to kind of rebuilding botnets, to establishing footholds in large networks, and Trojans are perfect for that, for sneaking in on stuff like that, because they’re usually quiet. And a lot of these Trojans that we have been seeing, you can almost say that they’re a hybrid. They have Trojan spyware, worm functionality in some cases, and we’re seeing more and more malware like this that doesn’t really fit into a box anymore. Emotet used to be what we called a banking Trojan, and so all it would do is infect the system and then wait until you log into your bank account and then steal that form data.
But now Emotet lands on the system, it has its own built in spam module, so it searches your contacts for other people in your network and then sends out a spear phishing emails to them, and then it’s able to install additional malware and start laterally moving through the network. So that’s a lot more functionality than just stealing form data. And, like I said, we see more and more malware moving this direction.
Chris: So yeah, so it’s getting a little more supple and the little less sort of brute force-y than it was.
Adam: Yeah, yeah, and with more powerful systems that users are using or businesses are using, that makes the malware itself more capable of doing things. Because if you go back to like Windows 98 or even Windows XP and you saw a remote access Trojan that was maybe 10 megs, and it was making a beacon every two seconds, you would probably notice that on XP. You would notice that things were running sluggishly or that you’ve got way too much network traffic, but with Windows 10 and modern operating systems, that is a drop in the bucket.
And as far as how much network activity is constantly going on with newer Windows operating systems, it’s hard to find much of anything, so that really makes it possible for the bad guys to evolve because they know they’re dealing with better hardware now.
Chris: Do you have to retrofit… I mean obviously you’re constantly making changes to Malwarebytes and stuff, but was that a big change, the ability to detect more subtle Trojans and malware like that?
Adam: Yeah, we’ve had Anti-Rootkit functionality for quite a few years. It was one of the things that we first developed after kind of developing our main engine, and because we’re dealing with families like ZeroAccess, SpyEye, they’re all rootkit Trojans that were able to do really nasty things. So we see the same kind of functionality being utilized within these malware families as well, but we’ve got the technology to stop it.
But one thing that I would definitely say we’re moving toward overall is more behavioral detections, greater use of machine learning, training AI, in order to detect anomalous behavior. Because the malware itself, it’s not like it was 10 years ago where maybe you’d get a new family a week or a month. It’s constantly coming out, there’s new variations of it, and if we have the technologies to utilize AI and advanced analysis systems to identify something that’s weird on a system, then the bad guys have the same capability theoretically to utilize that same software or that same technology in order to make their attacks more effective and be able to roll out new versions of the malware faster.
Chris: Now I wanted to jump back to… you said something before about crypto mining, there was the sort of, I don’t know if you said the golden age of crypto mining or the-
Adam: The crypto mining craze.
Chris: The crypto mining craze, so what caused the crypto mining craze to sort of break and sort of pull back? Was it they were just throwing everything against the wall, and they weren’t finding what was working? Or why-
Adam: It all started because the value of Bitcoin shot through the roof, and by November or December of 2017, it was worth $16,000, $17,000 or something per Bitcoin. So the bad guys were like, “Hey, this is a perfect opportunity. Let’s go mine some Bitcoins.” But as time went on it became more difficult because you had a lot of people involved in the mining process, and as some professional miner people tell me that the more people you have doing that, the more that the numbers have been crunched by more individuals, the harder it is to actually earn anything from doing the number crunching and actually running a miner for Bitcoin.
There are other families out there. Monero was very big and popular because it was being used for drive-by mining attacks or clickjacking as a lot of people like to call it.
Adam: But yeah, the rise of the Bitcoin value set it off, and then the fall of it led to its decline. And can almost put up a chart of the value of Bitcoin and see the trend lines going up and down, and the same thing with our detections of Bitcoin miners was up and down. It’s not completely synced up, but you can definitely see where the inspiration comes from. And that yeah, it became less and less of a return on investment for them, so they went back to doing the old stuff.
Chris: Yeah, so all the trends seem to be chasing the money it seems like.
Adam: That’s always what it is, and things, they go in circles in the cyber crime world. We see stuff come back again, and this is probably not the last time we’ll see a Bitcoin craze or cryptocurrency craze. I hope it’s going to be a while. At the same time, people just getting infected with miners is one thing versus getting infected with information stealing Trojans, but it still is a big concern. It can cause a lot of system degradation, and then my biggest concern is if they were able to get a miner on your system, what else can they get on your system when they’re done with the miners?
Chris: Yeah, right. So what are some preventative steps do you recommend for companies to take on a business hiring level with ransomware Trojan/crypto mining on the rise? Should these findings and general trends affect how enterprises structure their security departments, number of people they hire, what they’re hiring them for?
Adam: Absolutely, absolutely. What I like to recommend is that people take some inventory of their data, their most valuable data, because at the end of the day, like I said, the bad guys are after the money, so they want the money data, the data that they can sell, they can use, customer information or whatever else. Find that data in your network, identify it, segment it from your rest of your network and add it behind another layer of protection. Now we really recommend layering up on defenses, on protections, having that functionality which looks for just anomalous things. It doesn’t necessarily need to say, “I found this particular attack,” but that there’s an attack going on, do something about it. And trying to kind of leave, I guess, bait for the cyber criminal in some cases. They also like to go after the low hanging fruit. They’re very lazy. Some of them are, so if you leave a server open that has some fake bogus data, and they grab that, and they leave your network, and they never even know that there was much juicier stuff to go before.
But then also rights management, making sure that the right people have the right access to the right systems, and that people that don’t need access don’t have it. That’s the way the government really worked, and while it may not be the shining example of how security should be done correctly, that was a pretty good policy that I thought was really good. They basically said, what is it? Need to know basis, kind of segmented, compartmentalized security I think is a great idea. And then just general education on your users. Now, this is something that we’ve tried to tell people over and over again, and we’ve tried to teach people over and over again about cybersecurity. It is not a easy topic to discuss with someone who’s non-technical or not super interested in it, but if you can get your employees at least to a point where they can say, “This looks like a sketchy email,” because email is still the primary method of distribution for most malware these days, then that’s still a step in the right direction.
If they can flag that to your IT department or your security team to investigate, then you may have saved your company a whole lot of money and headache.
Chris: Yeah, yeah, yeah. It’s that one and a half seconds that you take a deep breath and look at a thing before you just go pay the invoice or whatever.
Adam: Exactly, exactly. That helps a lot.
Chris: Yeah, so that’s what I was going to say, is the advice for consumers and businesses alike is probably the same now as it was five years ago. Look at the URL. Don’t click on suspicious documents.
Adam: Yeah, the attacks are getting more sophisticated. They have been. We see a primary method of dropping malware is through office documents that are attached to these emails, and then there’s a script inside, a macro script, that once it’s executed, will download malware onto the system with either Java or PowerShell or a combination of both.
But yeah, just being kind of a little more I guess paranoid. I don’t like to just say paranoid, but at the end of the day, you want people to be a little-
Chris: A healthy paranoia.
Adam: Yeah, yeah, totally. So yeah, consumers and business employees and everything like that, having just a little bit more distrust of what you see come across your inbox is a really good idea. Because they’re not like they used to be. You’re not going to see too many emails that are like, “I am a Nigerian prince, and here’s a billion spelling errors.” You know?
Chris: That ship has sailed.
Adam: Exactly, so now you might get an email from what you think is PayPal, it’s just a spoofed address, but it looks very legitimate. Or ups that says you’ve got a package, or from someone within your organization. One of the most popular spear phishing attacks I saw while I was working for the military were these Trojanized PDFs that claimed to be pay rates for the next year, and there’s a lot of military folks that are always eager to learn about what they’re going to be making in the next year.
Chris: “Quick open that up, I got to know.” Yeah.
Adam: Yeah, yeah, exactly. But a holiday schedule, anything like that, and people just don’t even think twice half the time.
Chris: Yeah, so for listeners who are thinking of getting into the cybersecurity field, based on the general trends delineated in this report, what security skills or specialty fields you think will be the most in demand with this new ransomware, Trojan, crypto mining intensive future?
Adam: Right, like I said, big data is going to be important, also the communication aspect. We’re at a point where there really isn’t a lot of time for reverse engineering every malware you come across. So while reverse engineers are highly sought out, and I reverse engineer myself, it’s a good skill to learn. It’s difficult, but once you get it, then it really opens up your eyes to what’s actually capable with malware. But a lot of companies, they don’t have the time or they have automated systems that just automatically spit out, “This is what the malware does. Here’s how we protect against it, or here’s what you should do in order to protect against it.” So that’s not as in demand, but definitely developments. If you don’t know a programming language, learn one. Perl, I mean not Perl, everyone hates Perl. Python.
Chris: There you go, there you go.
Adam: C++ if you can.
Adam: But yeah, those just kind of basic things. Understanding Windows internals is also very important, and I’m just kind of listing off college courses I took, you know? But yeah, basically if you can understand the landscape and what’s possible then you already have a huge step up than anybody else because at least then you can speak intelligently about things that happen, and this industry constantly changes, like I said. So I can’t read a book about Trojans today and expect that that information’s still going to be relevant tomorrow sometimes.
Chris: Right, yeah. Oh yeah, for sure.
Adam: Yeah, that’s definitely an issue.
Adam: But overall yeah, education, just kind of absorbing things and getting a sense, an idea, of the landscape itself rather than focusing too much on the individual skills because I guarantee you, you’ll have to learn new ones eventually.
Chris: Constantly. So I didn’t include this on the question sheet, but if you do get, say whether you’re a consumer or you’re a business, you get zonked by some ransomware, what do you, as head of Malwarebytes Labs, what do you do next?
Adam: If you got hit with ransomware and you have no protections, you have no backups, you’re just completely at the whim of the ransomware attacker, then it’s one of those things, identify what data is most important to get back, and then negotiate with the attacker. We’ve seen it happen many times over the years. The Hollywood Presbyterian ransomware attack, which happened back in 2016. That one, the original ransom demand was $1 million to get all these systems back in this hospital. They ended up paying about $17,000 for one system, which had most of the important data on it. So cybercriminals, at the end of the day, they want to make money. If you do encounter a ransomware attack and the goal is actually getting money from you, then you can negotiate usually for a lesser price or for fewer files being decrypted, and they’ll usually work with you. If it’s a ransomware attack that’s whole point is “destruction, destruction” then that’s a whole different story.
Chris: Now things like crypto mining, I’ll say first of all that we’ve already talked to Christian Beek with Malwarebytes, and we’ve talked about the free forums. Now if your system has got… someone’s doing some crypto mining on it, is that something that the Malwarebytes forum people can help you remove? Is that something that’s higher level than that or?
Adam: No, no. We did see the development of some kind of nasty weaponized crypto miners during the crypto craze near the latter half of it, the kind of tail end. We started seeing ones that are being developed with more stealthy functionality like rootkit capabilities, but for the most part, most miners are not difficult to identify. Most security solutions will be able to identify them and get rid of them, but if you can’t, yeah, people on the Malwarebytes forum, our support guys, we’ll definitely be able to help you get rid of everything.
Chris: Oh yeah, they’ve saved my hash a number of times.
Adam: Awesome, those are real good guys.
Chris: Yeah, absolutely. So based on the findings of the Q1 report here, what are some blanket recommendations you’re making to sort of enterprises, the industry, whatever in general over the course of 2019 and beyond? Based on what you found, what are you saying people should do differently?
Adam: Plan for the worst case scenario.
Adam: Don’t plan to stop the malware, plan to recover from it. Because there’s so many chances, so many opportunities for bad guys to find other ways to get past your security. Never have full 100% confidence in your security solution. Always look for other ways to augment it. We actually wrote a report earlier this year talking about… we did a poll of some of our users and found that there was certain security practices that everybody follows, and then there’s some that nobody does. And they’re the really difficult ones like reading the [inaudible 00:27:09] or making sure that an app has the right permissions, things like that. And we have also seen attackers go through these avenues to try and infect people or try to scam people, so it kind of just overall created what we were calling security hubris, just having too much confidence in that security solution because no one is 100%. So yeah, plan for the worst attack, multiple layers of security, patching if possible, but just at the end of the day maybe segmentation of your network entirely.
Adam: Like I said, act like you are already going to be breached. So what do you want to do? You want to keep X, Y, Z data safe. You want to make it harder for the bad guy, so segment up your systems, make it more difficult for them to identify exactly where they have to go to get things. But at the same time it allows for greater user rights management and data segmentation. It may be a pain overall at the end of the day, but I think it’s definitely worth it. Other than that, I mean you could also deploy patches and that kind of model as well.
Adam: Because that’s one of the biggest things with businesses. Back when exploit kits were a really, really big deal, and they’re still a pretty big deal over in the East. We see a lot of attacks against Korea and Japan with exploit kits because for whatever reason the culture over there is still utilizing a lot of outdated older systems, either old operating systems or just unpatched. We see the same WannaCry exploit, EternalBlue, that was used to just infect systems from outside of the network. This happened two years ago, and the patch for it came out six months prior to that. And these systems are still getting hit with malware that utilize this trick because they have not patched, but that also comes down to if you are a large organization, you can’t necessarily roll out patches across the board without breaking something. So network segmentation may be another solution where you could say, “I rolled out the patches on this group of systems, and I know that it works fine.” And it’s kind of your test bed.
Chris: That’s fantastic. Adam Kujawa, thank you very much for your time today.
Adam: Thanks a lot Chris, really appreciate being here man.
Chris: And thank you all for listening and watching. If you enjoyed today’s podcast, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts, including this one. Just search Cyber Work with Infosec in your favorite podcast app. To see current promotional offers available for podcast listeners and to learn more about our Infosec Pro live boot camps, Infosec Skills on-demand training library, and Infosec IQ security awareness training platform, go to infosecinstitute.com/podcast or click the link in the description. Thanks once again to Adam Kujawa, and thank you all for watching and listening. We’ll speak to you next week.