With 2023 around the corner, we’ve seen yet another eventful year for the threat landscape and malware continues to be centre stage in the threats posed towards individuals, businesses, and governments.
OpenText’s annual survey of the cyber landscape paints a nuanced picture of the biggest threats of the year, but it is more than just doom and gloom. In addition to sharing insights into hackers and their latest techniques, our yearly round-up also allows us to consider the best ways to prepare for, and defend against, increasingly sophisticated cyber threats and double down on cyber resilience. Given that cybercriminals are constantly refining their tactics, cybersecurity experts need to do the same to stay prepared and well-positioned to fend off incoming attacks.
2022: a year in cybercrime
Overall findings from the past year show a generalised increase in malware activity. Phishing, in particular, has seen an almost 1100% increase during the first for months of 2022 compared to the same timeframe in 2021.
Meanwhile, the ransomware double extortion tactic continues to a favourite for criminals and absolute hell for victims. Some ransomware groups threaten to leak data even if the victim attempts to work with ransom negotiation services that are typically included in cybersecurity insurance. As a result, we have seen that organisations are shifting from relying on cyber insurance policies to increasing the strength of their layered defences to be more resilient against ransomware attacks. Ransom payments have also been increasing at a much higher rate than inflation. The peak average ransom payment was above $300,000 this year; last year it peaked at $200,000, and in 2019 the average payment was $40,000.
However, it’s not all bad news. Earlier this year we saw the most we’ve seen out of law enforcement agencies striking back against ransomware gangs. REvil, who has been featured on the OpenText Security Solutions’ Nastiest Malware list consistently over the years, got hit the hardest. Russian authorities arrested members of the REvil gang and seized their computers and other assets. The REvil shutdown represents a positive sign for 2022 as law enforcement agencies develop more robust capabilities to arrest, prosecute and incarcerate ransomware gangs.
Nastiest Malware of 2022 unwrapped
This year’s Nastiest Malware includes:
- Emotet once again returns to its pole position as the most successful botnet in existence, following a brief shutdown last year. Emotet’s objective is to send malicious spam campaigns to billions of emails a day. It creates a foothold on a victim’s computer, with follow-up malware that will then move laterally and compromise the rest of the environment before bringing in the final payload of ransomware.
- LockBit is this year’s most prolific – and successful – ransomware group. While the group has been around for about three years as a ransomware-as-a-service (RaaS) group, they continue to advance their tactics. In addition to taking data, holding it for ransom and threatening to leak it, triple extortion adds a third layer: a distributed denial-of-service (DDoS) attack on an entire system to completely lock it down.
- Conti, a ransomware-as-a-service malware, has been on our Nastiest Malware radar for quite some time. In February of 2022, Conti released a statement of support on their leak site for the Russian government. Shortly after, a Twitter account, ContiLeaks, leaked the group’s internal chats dating back almost two years, resulting in the dismantling of their leak site and command and control servers. Conti has since rebranded into multiple operations, most notably HelloKitty, BlackCat, and BlackByte.
- Despite being possibly the oldest of its kind, Qbot (AKA Qakbot) is still very much active today and continues to wreak havoc on systems globally. Qbot is an info-stealing trojan that moves throughout the network and infects the entire environment while “casing the joint” to allow access to as much data as possible to exfiltrate for extortion and to prepare for the final stage of ransomware payloads.
- Valyria is another strain of a “former banking trojan turned into malicious spam” botnet with email attachments, converted into malicious scripts that that start an infection chain typically resulting in ransomware. The greatest challenge posed by Valyria is the complexity of the components and its ability to evade detection.
- Cobalt Strike and Brute Ratel are adversarial attack simulation tools. Cobalt Strike is a pen testing tool designed by white hats, while Brute Ratel was created for red teams. The purpose of these tools is to help teams simulate attacks to understand the tactics hackers use, determine security gaps, and make the appropriate changes. Unsurprising, then, that Cobalt Strike and now Brute Ratel are both frequently used by hackers with malicious intent.
Of course, the above list is hardly exhaustive; unfortunately, the list of tactics used by hackers to infiltrate systems and obtain data is vast and continues to grow. Voice phishing and MFA (multi-factor authentication) fatigue attacks are just two examples where hackers rely on the vulnerability of human beings as opposed to targeting much more resilient computer systems; the idea being that it is far easier to hack the former than the latter.
Social engineering measures are particularly dangerous, given that they rely on human fallibility. One simple error can override even highly secure, seemingly hack-proof systems. Computers might be near-perfect, but their users never will be. A key takeaway from 2022 is that we need to prepare for attacks on both.
Navigating malware in 2023 and beyond
No business, regardless of size, is safe from cybercriminals. Putting policies and technology in place to minimize the effectiveness of potential ransomware attacks is essential. Creating cyber resilience requires strong multi-layered security and data protection policies to prevent, respond and quickly recover from threats.
A key step is locking down Remote Desktop Protocols (RDP). Using RDP solutions that encrypt data alongside multi-factor authentication protects against vulnerabilities when remoting into other machines. This ensures awareness of all the remote desktop software being used – an important facet in appropriate defence, as criminals are now installing legitimate remote desktop tools to backdoor your environments while also avoiding detection. Of course, installing reputable cybersecurity software is also crucial. It is best to implement a solution that uses real-time, global threat intelligence and machine learning to stop threats. Protection with multi-layered shielding can detect and prevent attacks at numerous different attack stages. Even with all these steps, hackers might still get through, and so it is also important to have a backup and disaster recovery plan in place.
As new threats emerge and evolve, so must security awareness training. Keeping users up to date on the latest scams and attacks will help transforms employees from a weakness into the first line of defence. Running regular cybersecurity awareness trainings and phishing simulations keeps data safe and secure. Also, make sure employees know when and how to report a suspicious message. Hackers never sleep, and neither should our defences.
Kelvin is Senior Threat Research Analyst at OpenText Security Solutions. Kelvin has over a decade’s worth of experience analysing the landscape and finding threats that could potentially harm customers. Over the years, he has become a trusted voice in the cybersecurity industry.