Content, Content

Ransomware, Phishing, Botnets Top “Nastiest” Malware in 2019

You know when a cybersecurity specialist uses the word “nastiest” to describe malicious malware, they’re not playing around.

Cybersecurity and threat intelligence Webroot’s third annual Nastiest Malware list, which chronicles the most menacing bugs of 2019 to this point, makes it clear that cyber threats are becoming more advanced and difficult to detect. Nasty is a fully appropriate depiction of the danger. Of the cyber offenders, ransomware, phishing and botnets are some of the most vicious, Webroot found.

“It’s that time of year again,” Webroot said in a post announcing the nasty list. “The leaves have changed, ghouls and goblins are about to take to the streets demanding tricks or treats, and Webroot is shining the light on the nastiest malware threats lurking online in 2019. It’s not names like Jason or Freddy that should curdle your blood this October, but TrickBot, Crysis, and the dreaded 'Man in the Mirror.'"

Here are Webroot’s Nastiest Malware list for 2019 to date: (via Webroot)

On ransomware. Ransomware has evolved into a more targeted model, aimed mostly at small- to medium-size businesses with limited security resources. Phishing attacks targeting employees or brute forcing unsecured remote desktop protocols (RDP) are primary techniques used by hackers. The nastiest include:

1. Emotet - Trickbot – Ryuk (“Triple Threat”): One of the most successful chains of 2019 in terms of financial damages. They assign a value to the targeted network post infection and then send the ransom for that amount after moving laterally and deploying the ransomware.

a. Trickbot/Ryuk: Ryuk infections are typically delivered by Trickbot as a second stage payload for Emotet and result in the mass encryption of entire networks.

b. Dridex/Bitpaymer: Dridex is now being used as an implant in the Bitpaymer ransomware infection chain and is also being delivered as a second stage payload off of Emotet.

2. GandCrab: One the most successful instance of ransomware-as-a-service (RaaS) to date, the authors have boasted shared profits in excess of $2 billion.

3. Sodinokibi - Sodin / REvil: This combination arose after the retirement of GandCrab.

4. Crysis/Dharma: Almost all infections observed were distributed through RDP compromise.

On phishing. Phishing campaigns became more personalized and extortion emails claimed to have captured private behavior using compromised passwords. The nastiest phishing attacks include:

1. The "man in the mirror:" Failure to follow best practices, including reuse and sharing of passwords and familiarity with the top impersonated brands like Microsoft, Facebook, Apple, Google and PayPal, caused significant damage in 2019.

2. Business email compromise (BEC): Individuals who are responsible for sending payments or purchasing gift cards were targeted through spoof email accounts impersonating company executives or familiar parties and tricked into giving up wire transfers, credentials, gift cards and more.

On botnets.Botnets remained a dominant force in the infection attack chain. No other type of malware delivered more payloads of ransomware or cryptomining. The three nastiest include:

1. Emotet: Despite a brief shutdown in June, Emotet resurfaced in September as the largest botnet delivering varying malicious payloads.

2. Trickbot: Trickbot’s combination with Ryuk ransomware is one of the more devastating targeted attacks of 2019.

3. Dridex: Dridex is now used as an implant in the infection chain with Bitpaymer ransomware.

On cryptomining & cryptojacking. The explosive growth of cryptojacking sites in 2017-2018 is gone. Cryptomining will not die entirely, however, because it is low-risk, guaranteed money, while also less "malicious” and profitable than ransomware. The nastiest campaigns of 2019 include:

1. Hidden Bee: Hidden Bee first started last year with IE exploits and has now evolved into payloads inside JPEG and PNG images through stenography and WAV media formats flash exploits.

2. Retadup: Retadup, a cryptomining worm with 850,000 infections was removed in August by Cybercrime Fighting Center (C3N) of the French National Gendarmerie after they took control of the malware’s command and control server.

Consumers and businesses need to become savvier and take cybersecurity education seriously in order to limit their risk, said Tyler Moffitt, Webroot security analyst. “It comes as no surprise that we continue to see cybercriminals evolve their tactics,” he said. “They may be using the same strains of malware, but they are making better use of the immense volume of stolen personal information available to craft more convincing targeted attacks. Consumers and organizations need to adopt a layered security approach and not underestimate the power of consistent security training as they work to improve their cyber resiliency and protection.”

In related research, Webroot just released its Mid-Year Update threat report, which found that one in 50 URLs are malicious, nearly one-third of phishing sites use HTTPS and Windows 7 exploits have grown 71 percent since the beginning of 2019.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.