Swarming IoT Attacks, Cryptojacking, and Ransomware Drive Dramatic Spike in Malware

FortiGuard Labs just released our latest Quarterly Threat Landscape report for Q4 of 2017. As usual, there are a lot of take-aways for CISOs, but a few items stood out. In particular, attacks were up per firm by 82% and swarm cyber attacks targeted the Internet of Things (IoT) with growing intensity.

Cyberattacks are being launched at an unprecedented rate. In fact, over Q4 of 2017 we detected an average of 274 attacks per firm, which is a staggering 82% increase over the previous quarter. The number of existing malware families also increased by 25%, to 3,317, and unique malware variants grew 19%, to 17,671, which not only indicates a dramatic growth in volume, but in the evolution of malware itself.

A deeper analysis of this trend shows that this dramatic increase in volume is probably intentional. In order to hit the maximum number of vulnerable targets before countermeasures, such as updated AV or IPS signatures can be put in place, a high volume of malware is necessary to accelerate its ability to spread more rapidly to other organizations.

But it’s not just about volume. According to our CISO Phil Quade, “The volume, sophistication, and variety of cyber threats continue to accelerate with the digital transformation of our global economy. Cybercriminals have become emboldened in their attack methods as they undergo a similar transformation, and their tools are now in the hands of many.” These increasingly sophisticated attacks are catching far too many organizations unprepared. For example, we are seeing new IoT-based attack swarms that span across malware families with new, harder to combat multi-vector attacks, along with the rapid development and propagation of new variants.

Here are just a few takeaways from this quarter’s report:

IoT Botnets

Three of the top twenty attacks identified in Q4 were IoT botnets. But unlike previous attacks, which focused on exploiting a single vulnerability, new IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously. This multi-vector approach is much harder to combat. In addition, Reaper was built using a flexible Lua engine and scripts to run its attacks. This framework means that rather than being limited to the static, pre-programmed attacks of previous IoT exploits, Reaper’s code can be easily updated on the fly to run new and more malicious attacks as they become available.

Devices like Wi-Fi cameras in particular were targeted by cybercriminals, with over four times the number of exploit attempts detected over Q3. The challenge is that none of these detections is associated with a known or named CVE, which is one of the more troubling aspects of the myriad of vulnerable devices that make up the IoT.

These issues are being compounded by a number of critical challenges that are slowing down the IoT industry’s ability to address this alarming growth in attacks. The first is that few IoT manufacturers have a Product Security and Incident Response Teams (PSIRT) in place that can respond quickly to new vulnerabilities. This means that after we or other researchers detect device vulnerabilities, getting that information to the right team inside their organization is often a complicated process. And second, the lack of regulations around IoT security means getting some of these manufacturers to prioritize a known threat can be even more frustrating, as evidenced by the number of exploits that have been successfully targeting known vulnerabilities for months that still don’t have an official CVE attached to them.


Cybercriminals are clearly motivated to exploit the growing interest in digital currencies. As a result, we have documented a significant spike in attacks targeted at this trend. Cryptojacking takes many different forms, and a malicious infection can result in everything from browser hang ups, system crashes, and degraded network performance to data theft and ransomware. There are three primary trends in this area, and each of them is unique in its approach.

The first is the injection of JavaScript into vulnerable websites, or delivering malicious JavaScript-based malware attached to email, that hijacks the CPU processing power of devices and uses it to perform cryptomining on behalf of the attacker. The crudest of these attacks simply utilize all available CPU, causing machines to become virtually unusable. Of course, this sort of approach has a very short shelf life, as users quickly turn off their machines and look for ways to remove the attack. New, more sophisticated attacks actually monitor device CPU and rate limit the amount of processing power they steal, often using 50% or less of available CPU power at any given moment.

Second, with the growing number of cryptocurrencies on the rise, and the dramatic growth in value of many of these making the news around the world, cybercriminals are looking for ways to exploit those individuals looking to cash in on a new opportunity. Which explains why we have detected a new social engineering-based attack that gets users to download malware by posing a link or attachment as a new crypto-currency wallet. This “wallet” then gets users to provide personal information during a fake registration process, while simultaneously downloading malicious malware, such as ransomware, onto their device. Ironically, criminals use a fake digital currency to gain access to a device and then demand payment with another, legitimate cryptocurrency to unlock it.

Finally, we are seeing a shift on the Darknet from only accepting Bitcoin for payment, the value of which has become unpredictable, to other forms of digital currency, including ransomware demands for payment such as Monero.


The growth in volume and sophistication of ransomware is a common thread across all of our threat reports to date. Several strains of ransomware topped the list of malware variants. Locky was the most widespread malware variant and GlobeImposter followed as the second. A new strain of Locky emerged, tricking recipients with spam before requesting a ransom. Ransomware continues to morph and leverage new delivery channels such as social engineering (e.g., cryptomining). It is also much easier for criminals to access with the emergence of Ransomware-as-a-Service models.


Steganography is an attack that embeds malicious code in images. It’s an attack vector that has not had much visibility over the past several years, but it appears to be on the resurgence. The Sundown exploit kit uses steganography to steal information, and while it has been around for some time, it was reported by more organizations than any other exploit kit. It was found dropping multiple ransomware variants. As a result, it is a threat vector that we will be watching closely in the coming quarters.

Critical Takeaways

Traditional threat detection tools and signature-based antivirus are simply unable to keep pace with the volume, variety, and velocity of today’s malware. According to Phil Quade, “The stark reality is that traditional security strategies and architectures simply are no longer sufficient for a digital-dependent organization. There is incredible urgency to counter today’s attacks with a security transformation that mirrors digital transformation efforts. Yesterday’s solutions, working individually, are not adequate. Point products and static defenses must give way to integrated and automated solutions that operate at speed and scale.”

To address the challenges facing organizations today, security teams need to take a more proactive approach that includes the following:

Managing vulnerabilities. Organizations need to prioritize patching based on malware volume. At the same time, they need to implement advanced threat protection capabilities such as sandboxing to detect and respond to unknown threats before they can impact the network.

Being prepared. As attacks like cryptojacking gain momentum, organizations need to prioritize cybersecurity awareness programs, including educating users on how to recognize social engineering attacks. In addition, as new digital currencies grow in popularity among cybercriminals, organizations may want to stay informed of cryptocurrency trends as much as possible.

Fighting fire with fire. Malware continues to evolve, with new IoT-based attacks that swarm together to target multiple vulnerabilities and devices simultaneously across multiple access points. These new multi-vector threats must be met with integrated, collaborative, and automated security approaches that can pit swarm versus swarm. The Fortinet Security Fabric, for example, provides a swarm-like defense deployed across the entire distributed network. It leverages integrated security technologies and automation to identify and share events and notifications, correlate threat intelligence, and orchestrate a response that uses the combined resources of the entire security infrastructure to repel attacks anywhere across the extended and highly elastic attack surface.

Access the full report here.

View our video with more context for CISOs and security leaders below:

View our infographic covering some of the data points below: