Content, Content

WatchGuard Report: Fileless Malware, Cryptominer Attacks Skyrocket in Q4, 2020


Fileless malware and cryptominer attacks grew by nearly 900 percent and 25 percent respectively, while unique ransomware payloads tumbled by 48 percent compared to 2019, WatchGuard said in its new Q4 2020 Internet Security Report.

During the quarter, encrypted malware detections increased 41 percent over the prior quarter and network attacks hit their highest levels since 2018, the Seattle-based network and endpoint security specialist said. “The attacks are coming on all fronts, as cyber criminals increasingly leverage fileless malware, cryptominers, encrypted attacks and more, and target users both at remote locations as well as corporate assets behind the traditional network perimeter,” said Corey Nachreiner, WatchGuard’s chief technology officer.

Some top line highlights of the study:

  • Cryptominer unique variants rose more than 25% year-over-year, reaching 850 unique variants during 2020 as attackers continued adding modules to existing botnet infections.
  • The number of unique ransomware payloads fell 48% in 2020 to 2,152 unique payloads from 4,131 in 2019 and the all-time-high of 5,489 in 2018. Attackers’ continued to pivot to highly targeted attacks against healthcare organizations, manufacturing firms and other victims for which downtime is unacceptable.
  • 47 percent of all attacks detected at the network perimeter in Q4 were encrypted.
  • Malware delivered via HTTPS connections increased by 41%, while encrypted zero day malware grew by 22% over Q3.
  • In Q4, the Linux.Generic virus (also known as “The Moon”) debuted on WatchGuard’s list of top 10 malware detections. It directly targets IoT and consumer-grade network devices.
  • Trojan.Script.1026663 made its way onto WatchGuard’s top five most-widespread malware detections list in Q4. The phishing attack ultimately leads the victim machine to load the Agent Tesla remote access trojan and keylogger.
  • Total network attack detections grew by 5 percent in Q4, reaching their highest level in over two years.

Additional findings include:

  • Overall perimeter-detected malware is down 4% quarter-over-quarter.
  • More than 61% of malicious files are zero day malware, up 11 points compared to last quarter.
  • Network attacks mushroomed to more than 3.5 million in Q4, while unique network attack signatures grew just under 4% in Q4. This shows that criminals are still targeting the office with a larger variety of network exploits.
  • Network attacks targeting the Asia and Pacific regions declined 16 points.

WatchGuard offered four recommendations to protect against cyber attacks:

  1. Vet the security of supply chain partners. Make a company’s security one of the attributes you measure when picking new partners, products or services in your supply chain.
  2. Emphasize advanced endpoint protection to combat malware. While everyone has some form of antivirus, many companies do not have the more advanced, full-suite endpoint protection products needed to catch highly evasive malware today.
  3. Deploy EDR to catch fileless malware and LotL threats. Even if you have some sort of endpoint anti-malware solution, also deploy EDR to clean up anything it misses.
  4. Segment and harden IoT networks. Completely segment your IoT devices, placing them on a separate physical or logical network from your other computers, with a security appliance in between.

“Effective security today means prioritizing endpoint detection and response, network defenses and foundational precautions such as security awareness training and strict patch management,” said  Nachreiner.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.