It’s that time again! Time for the quarterly Malwarebytes Labs Cybercrime Tactics and Techniques report (aka the Labs CTNT report). To get a more complete picture of what’s been going on in cybercrime this quarter, the Labs team has combined intel and statistics gathered from January through March 2018 from our Intelligence, Research, and Data Science teams with telemetry from both our consumer and business products, which are deployed on millions of machines.

Here’s what we learned about cybercrime in the first quarter of 2018.

Cryptomining is king

Malicious cryptomining has taken over in 2018, and it’s leaving all other malware families behind. From drive-by mining attacks via browser to scams meant to drain users’ cryptowallets, cybercriminals are taking every opportunity to exploit the rising value and popularity of Bitcoin and other cryptocurrencies.

Even though adware retained its position as our number one consumer detection, it did so only by the skin of its teeth, as malware-based cryptomining is now nipping at its heels in the number two spot. In addition, detections of cryptomining malware for businesses increased by 27 percent over last quarter, bringing it up to the second-highest overall threat detection for businesses this quarter.

Ransomware and spyware try to keep up

But while cryptomining took over, it wasn’t the only game in town. Bad actors continued to experiment with ransomware development and distribution, and spyware kept climbing the charts, usurping hijackers as our number one business detection.

January and February saw unusually low consumer ransomware detections, but during the same timeframe, we saw GandCrab appear as the first ransomware to ask its victims for a cryptocurrency other than Bitcoin. Meanwhile, business ransomware detections are up by 28 percent, but the overall volume remains low, as the threat is unable to crack into the top 5 business detections this quarter.

Spyware became our number 1 detection for businesses this quarter, with an increase of 56 percent from the previous quarter. After a dip at the end of last quarter, spyware detections crept up in December, with January being our most heavily-detected month. The spike is likely due to a malspam campaign delivering the Emotet spyware. Shortly after the spike, spyware was observed dropping significantly near the end of the quarter.

Major vulnerabilities unearthed

The public disclosure of the Meltdown and Spectre vulnerabilities sent software and hardware vendors into a full-blown panic mode, releasing patch after patch to try and mitigate the damage. Cybercriminals capitalized on fear and uncertainty by using social engineering scams to trick users into uploading the latest “patches,” only to infect them with malware.

To read more about cryptomining’s takeover, other quarterly trends in cybercrime, and our predictions for next quarter, download the full Cybercrime Tactics and Techniques (CTNT) report.