Digital Extortion and Fileless Malware Attacks Have Soared in 1H, 2019

The first 6 months of 2019 have seen significant increases in business email compromise (BEC) attacks, ransomware attacks, and other forms of cyber extortion, according to a mid-year cybersecurity roundup from Trend Micro.

The report, titled Evasive Threats, Pervasive Effects, provides insights into the current threat landscape and the main threats currently faced by businesses.

Ransomware attacks have increased significantly, but the report notes that the attacks are now more targeted. Government organizations, multinational companies, and enterprises are now being heavily targeted and there have been several major attacks on cities, towns, and municipalities

A variety of methods are used to install ransomware, but email is still the main attack vector. Once access is gained to the network, the attackers rapidly move laterally to infect as many devices as possible before the file-encrypting payload is executed.

The number of new ransomware families detected in the first half of 2019 was down 55% from the second half of 2018, although detections increased by 77%. This figure is considerably lower than reports from Malwarebytes and McAfee, which both suggest a three-figure percentage increase between 2018 and 2019.

WannaCry is still the most detected ransomware family. Detections of WannaCry variants exceed all other ransomware detections combined. Trend Micro has been detecting between 24,000 and 42,000 attacks using WannaCry variants each month, compared to between 4,000 and 6,000 attacks involving other ransomware variants. The other main ransomware families are Ryuk, LockerGaga, RobbinHood, BitPaymer, MegaCortex and Nozelesn. Some of these ransomware families now include features that reduce the chance of victims recovering their files and systems.

Fileless malware attacks have increased dramatically since 2018, with detections up 265% compared to the last half of 2018. These malware variants are harder to detect as they do not write files to disk, instead the malware remains in the memory or resides in the registry. Many attacks use whitelisted tools such as PSExec or Windows Management Instrumentation, and most abuse PowerShell. Fileless forms of cryptocurrency miners, ransomware, and banking Trojans are regularly detected.

Exploit kit activity tripled between the first half of 2018 and the first half of 2019, although activity is still well below peak levels of exploit kit activity in 2016.

Phishing attacks on healthcare providers have increased, but the number of detections of new phishing sites is down 18% from 2018. That said, there has been a 76% increase in unique phishing URLs spoofing Microsoft Office 365, especially Outlook.

The most detected threat in 1H 2019 was cryptocurrency miners, but the biggest increase was digital extortion, which rose 319% from 2H 2018. Business Email Compromise attacks increased by 52% during the same period.

Overall, threat detections are up by 6 billion compared to the first half of 2018.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of