Legacy Cybersecurity Defenses Won’t Keep Pace with New Ransomware and Cryptojacking Threats

Findings from the 2018 Webroot Threat Report Reveal the Increasing Sophistication of Phishing, Malware, and Cryptojacking

BROOMFIELD - March 22, 2018

Webroot, the Smarter Cybersecurity® company, revealed the results from the 2018 edition of its annual threat report, which demonstrated attackers are constantly trying new ways to get around established defenses. The data, collected throughout 2017 by Webroot, illustrates that attacks such as ransomware are becoming a worldwide threat and are seamlessly bypassing legacy security solutions because organizations are neglecting to patch, update, or replace their current products.

The findings showcase a dangerous, dynamic threat landscape that demands organizations deploy multi-layered defenses that leverage real-time threat intelligence.

View 2018 Webroot Threat Report

Notable Findings and Analysis:

  • Cryptojacking is gaining traction as a profitable and anonymous attack that requires minimal effort. Since September 2017, more than 5,000 websites have been compromised with JavaScript cryptocurrency miner CoinHive to mine Monero by hijacking site visitors’ CPU power.
  • Windows 10 is almost twice as safe as Windows 7. However, the data reveals that the operating system migration rate for enterprises has been quite slow; Webroot saw only 32 percent of corporate devices running Windows 10 by the end of 2017.
  • Polymorphism, i.e. creating slightly different variants of malicious or unwanted files, has become mainstream. In 2017, 93 percent of the malware encountered and 95 percent of potentially unwanted applications (PUAs) were only seen on one machine. In these instances, the identifiers are unique and undetectable by traditional signature-based security approaches.
  • Ransomware and its variants became an even more serious threat. This past year, new and reused ransomware variants were distributed with a variety of purposes. Together, WannaCry and NotPetya infected more than 200,000 machines in over 100 countries within just 24 hours.
  • High-risk IP addresses continue to cycle from malicious to benign and back again. Webroot saw 10,000 malicious IP addresses reused an average of 18 times each in 2017. The vast majority of malicious IP addresses represent spam sites (65 percent), followed by scanners (19 percent), and Windows exploits (9 percent).
  • Of the hundreds of thousands of new websites created each day in 2017, 25 percent of URLS were deemed malicious, suspicious, or moderately risky. High-risk URLs fell into two major categories: malware sites (33 percent) and proxy avoidance and anonymizers (40 percent).
  • Phishing attacks are becoming increasingly targeted, using social engineering and IP masking to achieve greater success. On average, phishing sites were online from four to eight hours, meaning they were designed to evade traditional anti-phishing strategies. Only 62 domains were responsible for 90 percent of the phishing attacks observed in 2017.
  • Mobile devices continue to be a prime target for attackers—32 percent of mobile apps were found to be malicious. Trojans continue to be the most prevalent form of malicious mobile apps (67 percent), followed by PUAs (20 percent).


Key Quote:

Hal Lonas, Chief Technology Officer, Webroot

“Over the past year, news headlines have revealed that attackers are becoming more aggressive and getting extremely creative. Cryptojacking made our threat report for the first time this year as an emerging threat that combines everything an attacker could want: anonymity, ease of deployment, low-risk, and high-reward. Organizations need to use real-time threat intelligence to detect these types of emerging threats and stop attacks before they strike.”


Additional Resources:


About the 2018 Webroot Threat Report

The 2018 Webroot Threat Report presents analysis, findings, and insights from the Webroot Threat Research team on the state of cyber threats. The report analyzed more than 27 billion URLs, 600 million domains, 4.3 billion IP addresses, 62 million mobile apps, 15 billion file behavior records, and 52 million connected servers. The statistics contained in the report come from threat intelligence metrics automatically captured from millions of real-world, global sensors, as well as third-party sources, and analyzed by the Webroot® Threat Intelligence Platform. The Webroot Threat Intelligence Platform is an advanced, cloud-based machine learning network that continuously produces threat intelligence used by Webroot SecureAnywhere® endpoint and network security products and by Webroot partners through Webroot BrightCloud® Threat Intelligence Services. Unlike traditional, list-based or single-vendor threat intelligence, Webroot threat intelligence is highly effective for identifying and stopping even the most sophisticated zero-day, never-before-seen, and advanced persistent threats.


About Webroot

Webroot was the first to harness the cloud and artificial intelligence to protect businesses and individuals against cyber threats. We provide the number one security solution for managed service providers and small businesses, who rely on Webroot for endpoint protection, network protection, and security awareness training. Webroot BrightCloud® Threat Intelligence Services are used by market leading companies like Cisco, F5 Networks, Citrix, Aruba, Palo Alto Networks, A10 Networks, and more. Leveraging the power of machine learning to protect millions of businesses and individuals, Webroot secures the connected world. Headquartered in Colorado, Webroot operates globally across North America, Europe, and Asia. Discover Smarter Cybersecurity® solutions at webroot.com.

About Us

Webroot delivers next-generation endpoint security and threat intelligence services to protect businesses and individuals around the globe. Our smarter approach harnesses the power of cloud-based collective threat intelligence derived from millions of real-world devices to stop threats in real time and help secure the connected world.