It's Like 2020 But Worse
Check out the full infographic attached below!
This year was yet another year with COVID-19 and malware running rampant in the headlines. Be it in person or online, the world is still struggling in the fight against viruses. This year took another ghastly turn when attacking critical infrastructure and supply chains became a new trend. Perhaps because popular botnets were down, or maybe it’s just plain old-fashioned nation-state sponsored attacks.
We saw some previous big players exit the scene this year, some vacation to the beach and some off to prison. In any event, 2021 was one where cyberthreats, especially ransomware, dominated the news.
Ransomware extortion has evolved from a trend into a new normal. Every major ransomware campaign is running the double extortion method, a scary prospect for small businesses. Not only are they stealing and locking files away, but the bad actors will absolutely leak data in the most damaging way if a ransom settlement is not reached. The good news (I guess) is that last year’s average ransom payment of $200,000 was its peak, and today’s average is just below $150,000.
The bad news is that hackers are spreading the love and targeting businesses of all sizes. In fact, most victims are small businesses that end up paying around $50,000. Ransomware actors are getting better with their tactics, recruiting talent and providing a streamlined user experience. The whole process is terrifyingly simple and for every one that gets shut down, two spring up to replace it – just like a hydra head, or zombies! To top it off, supply chain attacks are becoming a massive issue.
Phishing continues to be key for these campaigns and it’s typically the first step in compromising a business for the nastiest malware. This highlights the importance of user education – after all, every monster has a weakness. You just need to stake a vampire, cut off the head of a zombie or train users not to click on these phishing lures or to enable macros from the attachments – these methods are proven in stopping these creatures (and malware) in their tracks.
While the list below may define payloads into different categories of malware, note that many of these bad actor groups contract work from others. This will allow each group to specialize on their respective payload and perfect it.
So, in no particular order (and in honor of Cybersecurity Awareness Month), here goes…
LemonDuck has only been around for a couple years as a well-known botnet and cryptomining payload. It’s one of the most annoying payloads because it will use just about every infection vector in the book like COVID-themed emails, exploits, fileless powershell modules and brute force. But in 2021 LemonDuck grew more popular and even added some new features like stealing credentials, removing security protocols and even dropping more tools for follow up attacks. To make matters worse, LemonDuck will attack Linux systems as well as Windows, which is both handy and rare. It will use older vulnerabilities to compromise which can stay unpatched when victims only focus on patching the recent and popular vulns.
An interesting quirk is that LemonDuck removes other hackers from victim’s devices by eliminating competing malware infections. LemonDuck wants to be the biggest, Nastiest Malware and they even prevent new infections by patching the very vulnerabilities it used to gain access. It mines XMR because that is the friendliest hashing algorithm for consumer-grade hardware and therefore secures the most profits for cybercriminals. These profits are instant and are generated by the power bill of the victim over time. There is no ransom demanded, and therefore no consent or knowledge of the attack/breach is needed by the victim – making this very nasty.
REvil of course makes our list. Everyone, even those who aren’t into infosec, heard about the July Kaseya supply chain attack targeting mainly American companies right before the holiday. They also attacked countless other businesses, including global meat supplier JBS. It’s no surprise that a group with a name like REvil would make our list year after year.
You may have heard of ransomware named Gandcrab back in 2018, or Sodinokibi in 2019. Well, it’s all the same group and this year they were/are REvil. They offer ransomware as a service (Raas), which means they make the encrypting payload and facilitate the extortion leak sites on the dark web.
Affiliates will conduct the attack (however they want), use the ransomware payload and all profits are shared. Shortly after the Kaseya attack and subsequent meetings between the White House and Vladimir Putin, REvil payments and leak sites went down and the onion links no longer worked.
"Upon uncorroborated information, REvil server infrastructure received a government legal request forcing REvil to completely erase server infrastructure and disappear. However, it is not confirmed," - Advanced Intel's Vitali Kremez
As with many nasty malwares on this list, REvil is probably not dead (their leak site on the dark web came back online in early September). After taking what is presumed to be a nice holiday break, they are turning their infrastructure back on – so expect a sequel
It’s been around for a decade now as a popular banking trojan that’s evolved into one of the most widely recognized botnets in existence. Used by a large chunk of the cyber-underworld, Trickbot is linked to many ransomware groups due to its versatility and resilience. Late last fall, the DoD, Microsoft and others carried out attacks on the groups botnet and almost destroyed it. But like any good zombie, they rose again to become the leading botnet after Emotet’s shutdown.
Trickbot infections almost always lead to ransomware. Once on the machine, it moves laterally through networks, using exploits to propagate and gather as many credentials as possible. Sometimes, it takes weeks or months until all domain credentials are gathered. Once they have full control of the environment, they make sure the ransomware will do the most damage with mitigations likely to fail.
Another very popular banking trojan and infostealer that has been around for years, Dridex is tightly linked to ransomware like Bitpaymer/Doppelpaymer/Grief. Dridex was dropped on machines from Emotet until their shutdown, but now runs its own malspam campaigns.
Once on one machine, it also moves laterally through a network to drop dridex loaders on every machine to create persistence. And just like Trickbot, Dridex takes its time gathering credentials until gaining full control. From there, they can do the most damage while preventing mitigation strategies from shutting them down.
Dridex authors have been known as the “Evil Corp” group, whose leader is wanted by the FBI for the maximum reward of $5M
This ransomware group is no stranger to our Nastiest Malware list, where its graced these these pages before as the ransomware operators behind Ryuk (which uses Emotet and Trickbot). In fact, they were the FBI’s most successful ransomware group of 2019. While Conti has been deployed from RDP, it's not usually brute-forced from unsecured RDP. Most often the credentials are grabbed or phished elsewhere, from an info stealing trojans like Trickbot or Qakbot.
These ransomware authors also operate a breach/leak site to further intimidate victims into paying ransoms. Conti made plenty of headlines and breached many large organizations in 2021, but hasn’t gone dark yet. We’ve also noticed that LockFile ransomware lists a Conti gang’s email address as a contact for payment, linking the two groups.
Cobalt Strike is a pen testing tool designed by white hats. Its purpose is to help red teams simulate attacks so hackers can infiltrate an environment, determine its security gaps and make the appropriate changes. There are several very powerful and useful features in this tool like process injection, privilege escalation, credential and hash harvesting, network enumeration, lateral movement and more.
All these are attractive to hackers, so it’s not surprising that we’ve seen Cobalt Strike used by the bad guys OFTEN. It’s unique for us to list a tool for white hats on among our Nastiest Malware, but this tool is easy to use for scalable, customized attacks. It’s no wonder so many threat actors are adopting it as one of the tools in their arsenal.
Hello Kitty – This group gets an dis-honorable mention because of their unique attack on VMWare ESXI using exploits. It was made famous by breaching CD Projekt RED and stealing their source code for games, most notably for CyberPunk 2077 and Witcher 3.
DarkSide – The colonial pipeline attack was the most notable attack of 2021, causing a cascading gas shortage compounded by panic buying. It reminded us how disruptive ransomware attacks can be and its surrounding hype was reminiscent of Wannacry. The RaaS group claimed it had no intention of attacking infrastructure and blamed an affiliate for the pipeline. But just a few weeks after the attack, a similar RaaS emerged called Black Matter and claimed to attack all environments BUT medical and state institutions. They also claimed that they were not the same people. But honestly, who believes that?
Lets hope none of these malware ever come back to life
How to stay safe
It’s time to sharpen your stakes, polish your pitchforks and learn how to keep safe from monstrous malware. With attackers becoming more sophisticated every year, it’s important to have a multi-layered protection strategy.
Here are some tips from our experts
- Lock down Remote Desktop Protocols (RDP).
- Use RDP solutions that encrypt data and use multi-factor authentication. This needed increase in security protects against vulnerabilities when remoting into other machines.
- Educate end users.
- Preventing attacks starts with stronger awareness among end users. Running regular cybersecurity awareness trainings and phishing simulations keeps data safe and secure. Also, make sure employees know when and how to report a suspicious message.
- Install reputable cybersecurity software.
- Choose a solution that uses real-time, global threat intelligence and machine learning to stop threats. Look for protection with multi-layered shielding to detect and prevent attacks at numerous different attack stages.
- Set up a strong backup and disaster recovery plan.
- With hybrid work with us for the long haul, businesses can’t afford to go without a strong backup. Test backups regularly and set alerts so admins can easily see if something’s amiss.
- Develop a healthy dose of suspicion toward messages.
- Treat your emails like the same way you’d treat a graveyard in a horror movie. Don’t click on links or attachments in emails. Be suspicious of any emails, texts, phone calls or social media messages that ask for personal info.
- Protect your devices with antivirus and a VPN.
- Be sure to secure not just computers, but smartphones and tablets, too. And when you ditch an old device, be sure to wipe it first.
- Keep your antivirus software and other apps up to date.
- Hackers use outdated software and operating systems to get malware onto your system and steal from you. Install updates.
- Use a secure cloud backup.
- We recommend using both an online backup that stores your data in an encrypted format and a physical backup drive that you unplug when not in use.
- Create strong, unique passwords (and don’t share them).
- Length = Strength. Use passphrases to increase the characters of passwords and defend against brute force
- You can use a password manager to help you create and store good passwords. That way, you don’t have to remember them all or write them down.
- If a file you downloaded asks you to enable macros, DON’T DO IT.
- This is a strong telltale sign that the file is infected with malicious code. Even though macros have legitimate uses, they are extremely rare in a normal home user context.