10 October 2017

Results and forecasts: Group-IB presented Hi‑Tech Crime Trends 2017 report

Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud, presented its Hi-Tech Crime Trends 2017 report at CyberCrimeCon.

In the next year, the main source of losses for banks from cyber-attacks will not be theft of money, but destruction of their IT infrastructure during the final stages of a targeted attack. Banks used to be attacked by cybercriminals. Today, state-backed hackers are also doing this much more frequently. By destroying IT infrastructure cybercriminals will attempt to cover their tracks during thefts, while the aim of state-sponsored hackers will be to maximize the damage to banks and discontinue banking operations. In both cases, the damage done to banks may be even greater than the amount of funds stolen due to service interruptions and the resulting reputational and regulatory impact.
  • One of the possible sabotage scenarios may be trading on exchanges on behalf of the victim bank in order to influence exchange rates and cause losses. This can lead to snowballing style flash crashes as HFT trading algorithms respond to fluctuations in exchange rates.
  • Out of 22 new malicious programs used to steal funds, 20 (91%) were created and are controlled by Russian-speaking hackers.
  • Phishing for banks and payment systems is automated and conducted in real time, which allows cybercriminals to bypass SMS confirmations for debiting money. On average, 10-15% of visitors of financial phishing websites enter their data.
Hackers are increasing their focus on the crypto industry (ICO, wallets, exchanges, funds), which have been accumulating increasingly large capitalisations and funds. In technical terms, the attacks against service providers in this sector are no more difficult than against banks, however the information security in place and maturity of blockchain companies is significantly lower. A further motivation for criminal attackers is that blockchain technologies are more anonymous and unregulated – this considerably reduces the risk of being caught during money withdrawal.
  • The total damage caused by targeted hacker attacks on the crypto-currency industry amounts to more than $168 million, and the income from attacks on cryptocurrency exchanges varies from $1.5 million (Bitcurex) to $72 million (Bitfinex). While a successful attack on a bank brings criminals only about $1.5 million on average.
  • Attacks on cryptocurrency exchanges are conducted in the same way as targeted attacks on banks with similar or sometimes identical tools and tactics. E.g. cybercriminals use fake ID to get victim’s SIM-card to recover passwords and gain control over accounts in cryptocurrency services
  • The fact attackers are “retargeting” popular banking Trojans such as TrickBot, Vawtrak, Qadars, Tinba, Marcher to collect logins and passwords of cryptocurrency users suggests that they have found a new niche and might focus outside of the traditional banking sector in the nearest future.
  • Targeted attacks on cryptocurrency exchanges will be carried out not only by financially motivated hackers but by state-sponsored attackers as well.
Hackers will now successfully attack more industrial facilities as they have learnt how to work with the “logic” of critical infrastructure. These facilities use complex and unique IT systems: even if one gains access to them, specific knowledge about the principles of their operation is needed to conduct attacks. Over the past year, we have observed that hackers’ competence has increased along with their capacities to impact critical infrastructure. Therefore, we now forecast new large-scale incidents targeting industrials and related core infrastructure.

BlackEnergy group continues to attack financial and energy companies. The group uses new tools that allow Remote terminal units (RTUs) responsible for the physical opening/closing of power grids to be remotely controlled. Test attacks on power generating companies in the UK and Ireland were tracked in the summer of 2017.


The growth in the number of attacks and the totals stolen is a significant indicator of hackers’ capabilities, which drive changes in their tactics and targets. The majority of attackers follow the money, and if they find more efficient and safer ways to earn it, they start investing in them, creating new tools, services, and attack schemes.

In Russia, the amount of losses caused by theft from legal entities is still in decline, but the loss caused by Android banking Trojans is still on the increase. The number of targeted attacks on banks and payment systems is on the rise, but hackers have earned the majority of their profits outside Russia, as we predicted last year.

After phishing attacks on bank clients and payment systems were fully automated, the amount of loss from their activity in Russia became very significant. Every day they attack many more users than banking Trojans, but the net amount of loss is still smaller. However, due to the simplicity of this scheme, an increasing number of criminals are starting to use it.

Hi-tech crime market assessment


  • Fileless malware using malicious scripts to launch an attack is a new and currently the primary attack method. To slip under the radar, hackers use fileless software that exists only in RAM until the system is rebooted. That said, malicious PowerShell, VBS, PHP scripts help them to ensure persistence in the system and automate some stages of their attacks.
  • NotPetya has demonstrated that creating a template can be enough to gain control over a corporate network. In the future, we should expect many scripted cyber-attacks as well as ready-made simple tools that can gain control over corporate domains automatically. If such tools are made publicly available or are sold among hackers, this can lead to an avalanche in growth of attacks on the corporate sector. We primarily expect more incidents involving ransomware, theft of confidential information and extortion for non-disclosure, money theft, and incidents of public exposure by non-financially motivated hackers.
  • We expect malware developers to be more active in continuing to publish codes of their programs online. In addition, leaks published by The Shadow Brokers and similar organisations will also be immediately used for malware creation and improvement. This will give a powerful boost to the development of the cybercrime industry.

The full version of Hi-Tech Crime Trends 2017

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident