10 October 2017

Results and forecasts: Group-IB presented Hi‑Tech Crime Trends 2017 report

Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud, presented its Hi-Tech Crime Trends 2017 report at CyberCrimeCon.

In the next year, the main source of losses for banks from cyber-attacks will not be theft of money, but destruction of their IT infrastructure during the final stages of a targeted attack. Banks used to be attacked by cybercriminals. Today, state-backed hackers are also doing this much more frequently. By destroying IT infrastructure cybercriminals will attempt to cover their tracks during thefts, while the aim of state-sponsored hackers will be to maximize the damage to banks and discontinue banking operations. In both cases, the damage done to banks may be even greater than the amount of funds stolen due to service interruptions and the resulting reputational and regulatory impact.
  • One of the possible sabotage scenarios may be trading on exchanges on behalf of the victim bank in order to influence exchange rates and cause losses. This can lead to snowballing style flash crashes as HFT trading algorithms respond to fluctuations in exchange rates.
  • Out of 22 new malicious programs used to steal funds, 20 (91%) were created and are controlled by Russian-speaking hackers.
  • Phishing for banks and payment systems is automated and conducted in real time, which allows cybercriminals to bypass SMS confirmations for debiting money. On average, 10-15% of visitors of financial phishing websites enter their data.
Hackers are increasing their focus on the crypto industry (ICO, wallets, exchanges, funds), which have been accumulating increasingly large capitalisations and funds. In technical terms, the attacks against service providers in this sector are no more difficult than against banks, however the information security in place and maturity of blockchain companies is significantly lower. A further motivation for criminal attackers is that blockchain technologies are more anonymous and unregulated – this considerably reduces the risk of being caught during money withdrawal.
  • The total damage caused by targeted hacker attacks on the crypto-currency industry amounts to more than $168 million, and the income from attacks on cryptocurrency exchanges varies from $1.5 million (Bitcurex) to $72 million (Bitfinex). While a successful attack on a bank brings criminals only about $1.5 million on average.
  • Attacks on cryptocurrency exchanges are conducted in the same way as targeted attacks on banks with similar or sometimes identical tools and tactics. E.g. cybercriminals use fake ID to get victim’s SIM-card to recover passwords and gain control over accounts in cryptocurrency services
  • The fact attackers are “retargeting” popular banking Trojans such as TrickBot, Vawtrak, Qadars, Tinba, Marcher to collect logins and passwords of cryptocurrency users suggests that they have found a new niche and might focus outside of the traditional banking sector in the nearest future.
  • Targeted attacks on cryptocurrency exchanges will be carried out not only by financially motivated hackers but by state-sponsored attackers as well.
Hackers will now successfully attack more industrial facilities as they have learnt how to work with the “logic” of critical infrastructure. These facilities use complex and unique IT systems: even if one gains access to them, specific knowledge about the principles of their operation is needed to conduct attacks. Over the past year, we have observed that hackers’ competence has increased along with their capacities to impact critical infrastructure. Therefore, we now forecast new large-scale incidents targeting industrials and related core infrastructure.

BlackEnergy group continues to attack financial and energy companies. The group uses new tools that allow Remote terminal units (RTUs) responsible for the physical opening/closing of power grids to be remotely controlled. Test attacks on power generating companies in the UK and Ireland were tracked in the summer of 2017.


The growth in the number of attacks and the totals stolen is a significant indicator of hackers’ capabilities, which drive changes in their tactics and targets. The majority of attackers follow the money, and if they find more efficient and safer ways to earn it, they start investing in them, creating new tools, services, and attack schemes.

In Russia, the amount of losses caused by theft from legal entities is still in decline, but the loss caused by Android banking Trojans is still on the increase. The number of targeted attacks on banks and payment systems is on the rise, but hackers have earned the majority of their profits outside Russia, as we predicted last year.

After phishing attacks on bank clients and payment systems were fully automated, the amount of loss from their activity in Russia became very significant. Every day they attack many more users than banking Trojans, but the net amount of loss is still smaller. However, due to the simplicity of this scheme, an increasing number of criminals are starting to use it.

Hi-tech crime market assessment


  • Fileless malware using malicious scripts to launch an attack is a new and currently the primary attack method. To slip under the radar, hackers use fileless software that exists only in RAM until the system is rebooted. That said, malicious PowerShell, VBS, PHP scripts help them to ensure persistence in the system and automate some stages of their attacks.
  • NotPetya has demonstrated that creating a template can be enough to gain control over a corporate network. In the future, we should expect many scripted cyber-attacks as well as ready-made simple tools that can gain control over corporate domains automatically. If such tools are made publicly available or are sold among hackers, this can lead to an avalanche in growth of attacks on the corporate sector. We primarily expect more incidents involving ransomware, theft of confidential information and extortion for non-disclosure, money theft, and incidents of public exposure by non-financially motivated hackers.
  • We expect malware developers to be more active in continuing to publish codes of their programs online. In addition, leaks published by The Shadow Brokers and similar organisations will also be immediately used for malware creation and improvement. This will give a powerful boost to the development of the cybercrime industry.

The full version of Hi-Tech Crime Trends 2017

Group-IB is one of the leading providers of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. Group-IB Threat Intelligence & Attribution system was named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on the company’s 17 years of experience in cybercrime investigations worldwide and 65,000 hours of incident response accumulated in our leading forensic laboratory and 24/7 CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE. Group-IB is a member of the World Economic Forum.

Report an incident

24/7 Incident Response Assistance +65 3159-4398

Thank you for the inquiry! We will contact you soon.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident