(Image by Pete Linforth / Pixabay)

Ransomware incidents have significantly dropped in the first half of 2018 while the increasing popularity of cryptocurrency gave criminals a new target, according to McAfee’s quarterly threat report.

Ransomware attacks dropped 32 percent after an increase of 36 percent in the third quarter of 2017. The report attributes the decline to the 81-percent drop in Android lock-screen malware. It also cited the ease of launching a crypto mining assault as one of the causes of the decline.

Reports of new coin miner malware attacks skyrocketed to 1,189 percent in the first quarter alone. Cryptojacking “hijacks systems to mine for cryptocurrencies and increase their profits.”

Once criminals infect the victim’s systems, they could easily mine and monetize the cryptocurrencies. Unlike in ransomware where they have to ask victims to pay up in return for the lost data, coin mining does not require any contact with people and there is no need for negotiations.

The actors have become more and more sophisticated with their forms and assault leaving no trace and sometimes attacks can remain undetected, according to the report.

Lazarus rises again

Cybercrime group made a comeback after a hiatus, the report said. They marked their return by launching “a highly sophisticated Bitcoin-stealing phishing campaign” called HaoBao. Bitcoin users and financial institutions are the group’s main target. Haobao works by scanning the system of any Bitcoin activity through a malicious email attachment. Once it establishes the presence of Bitcoin, the implant will continuously gather data from the system.

The report noted how in early 2017, the group launched a Korean and English-language phishing campaign that aimed to either collect sensitive information from the military or steal money. At the onset of the last quarter of the same year, the attacks involved malicious email attachments that are the source of the implants. The implants come in two: for data gathering and to establish persistence. According to the report: “These were typically embedded in older versions of Word documents that were launched via a Visual Basic macro. Once these actions were performed, the malware sent the data to a control server.”