SOPHOSLABS 2019 THREAT REPORT Contents Victories against cybercrime demand radical change to defense   3 Joe Levy, Sophos CTO Targeted attacks gain popularity, reap deep rewards   5 What’s old is new again Transitioning to manual attack mode SamSam ransom payments - Total: $6.5 million USD Targeted Ransomware vs. RaaS Playbook  Attacker techniques evolve to use what’s already there  8 10 “Living off the land” is the new law of the land How “LoL” changes malware detection and prevention The growth explosion of Office exploits Risky filetypes  16 Lateral movement: almost blue We’ve lost a few battles, but we’re winning the war  18 Chester Wisniewski, Principal Research Scientist Mobile and IoT: Malware is not slowing down  20 The growing and persistent threat of mobile malware Android: The good, the bad, and the ugly Unusual malicious campaigns affecting the Android platform Attacks against the internet of things Conclusions  Ransomware isn’t going away Malicious spam a primary vector of malware Practice the fundamentals 26 SophosLabs 2019 Threat Report Victories against cybercrime demand radical change to defense JOE LEVY, SOPHOS CTO It doesn’t take an AI-powered sentiment analyzer to observe that reporting, disclosures, and headlines about the security industry skew negative. Whereas most other STEM industries – biotech, pharmaceuticals, robotics – celebrate breakthroughs, the public perception around the cybersecurity industry seems focused on its failures. News coverage of breaches and attacks can be dispiriting to those who work in this field to solve these challenging problems, and can give the customers of security products a crisis of confidence. But while it’s good to maintain a healthy dose of (wellinformed and risk-aware) caution around information systems threats, it’s also important to take inventory of our victories. And by “victory,” I don’t just mean some arbitrary metric of attacks blocked. We as an industry are obsessed with measurements, but we sometimes measure the wrong things. Relevant threat data has to be built on a strong, scientifically rigorous foundation in order to be reliable, consistent, and transparent. After all, if you measure every dropped ping packet as a crisis averted (as some overzealous operators do), the “attack” numbers can rise into the trillions. At Sophos, we hold ourselves to a very high standard of rigor in our internal metrics, our disclosures, and in the open manner in which we participate in industry third-party testing. Measurements become a more meaningful indication of success when they become observable trends. And one of the most encouraging trends we see is how we’ve begun to shift the burden to attackers, forcing them to change their operations. The threat landscape is undoubtedly evolving; less skilled cybercriminals are being forced out of business, the fittest among them step up their game to survive and we’ll eventually be left with fewer, but smarter and stronger, adversaries. These new cybercriminals are effectively a cross-breed of the once esoteric, targeted attacker, and the pedestrian purveyor of off-the-shelf malware, using manual hacking techniques not for espionage or sabotage, but to maintain their dishonorable income streams. We are driving this with a number of important, advanced protection techniques, including generalized exploit protections, which can arrest virtually infinite variations of memory and controlflow abuses; deep learning, which provides the best static prediction of malware at scales never before achieved; and behavioral detections that provide runtime defenses against such would-be epidemics as ransomware. 3 SophosLabs 2019 Threat Report These technologies materially hinder the effectiveness of commodity malware. The result has been something to simultaneously relish and dread: low-skill cybercriminals are being driven to the periphery, while the most adept among them are forced to step up their game in order to survive. As the report that follows describes, SophosLabs has been observing a small but growing number of criminals forced to resort to a variety of manual hacking techniques – previously the purview of esoteric, targeted attackers – just to maintain their dishonorable income streams. The downside is that it’s much more challenging to halt these hybridized threats using conventional methods, but it also means there are fewer criminals competent enough to conduct them, and we keep dr