The Apple ecosystem has long been considered the safer environment compared to Windows when it comes to being targeted by cyberattacks, but that is no longer necessarily the case.
Almost twice as many attacks were recorded against Mac endpoints in 2019 compared to those running Windows, Malwarebytes revealed in its 2020 State of Malware Report. In a way this increase can be blamed on Apple itself. One of the reasons cybercriminals gave Macs short shrift was because the market size was not large enough to justify expending time and energy to develop Mac-specific threats.
“This is likely because, with increasing market share in 2019, Macs became more attractive targets to cybercriminals. In addition, macOS’ built-in security systems have not cracked down on adware and PUPs to the same degree that they have malware, leaving the door open for these borderline programs to infiltrate,” the report stated.
The good news for Mac owners is malware is still more of an issue for Windows machines, but the number of potentially unwanted programs and adware with Adware.NewTab and PUP.PCVARK each being detected more than 25 million times by Malwarebytes. On the malware side only two varieties, OSX.Generic.Suspiciou and OSX.FakeFileOpener, had more than 300,000 detections.
“While these threats are not considered as dangerous as traditional malware, they are becoming a much larger and more noticeable nuisance for Mac users, who can no longer say that their beloved systems are immune from malware Malwarebytes noted that all but one of the PUPs, adware and malware required the user to be tricked into opening or downloading a malicious file,” the report said.
The most notorious case of Mac malware reported in 2019 involved several cryptocurrency exchanges, including Coinbase. Here these were infected using a FireFox zero-day vulnerability to download Wirenet and Mokes malware. This was the first time Macs had been hit through such a vulnerability since 2012 when Java flaws were used. This resulted in Apple simply removing Java from its system to close this attack vector.
Mac issues may have taken top billing in the report, but the number of threats targeting business and consumer Windows machines was also up, albeit just one percent. Malwarebytes detected 50.5 million threats against Windows in 2019. In this space consumers were victimized much more that businesses, with 40.9 million vs. 9.5 million attacks spotted. However, the number of consumer threats did drop 2 percent, while business attacks increased 13 percent.
Adware was the dominant threat against consumers comprising 16.9 percent of all attack types, or more than 10 million more than the next largest malware, trojans.
Interestingly, ransomware attacks may have appeared to be everywhere in 2019 they were far down the list of detected threats against businesses and did not appear at all among the top consumer threats. Adware, trojans, riskware tools and backdoors were more prevalent, and the number of ransomware attacks actually declined.
“Year-over-year volume of ransomware detections declined by 6 percent, but the numbers don’t tell the full story. The ransomware families most popular with threat actors in 2019 were far more advanced than what we saw in 2018 and the years before,” the report said, adding that ransomware attacks also tend to be more high profile and targeted making them appear omnipresent.
Malwarebytes singled out the Ryuk and Sodinokibi ransomware families for a special deep dive in the report.
Ryuk first surfaced in August 2018 and landed its first big name victim when it hit Tribune Publishing four months later. Detections of Ryuk increased by more than 500 percent in the first quarter of 2019 over the previous quarter, and by the fourth quarter 2019, they were up another 43 percent. In many cases it was carried into a system by Trickbot or Emotet as part of a larger attack package that almost exclusively targets enterprise-scale organizations from which it can try and pull large sums of money.
Ryuk ransom notes generally demand between $97,000 and $320,000.
Sodinokibi made its name in 2019 as a ransomware as a service that is most likely operated by GandCrab’s creators. Since its introduction I May 2019 detections of this family have increased by 820 percent. It actively exploits CVE-2019-2725, a vulnerability in Oracle WebLogic and is also spread via spam, phishing campaigns and malvertising.
