{"id":30605,"date":"2020-10-27T06:00:22","date_gmt":"2020-10-27T12:00:22","guid":{"rendered":"https://www.webroot.com/blog/?p=30605"},"modified":"2020-10-23T15:19:20","modified_gmt":"2020-10-23T21:19:20","slug":"the-nastiest-malware-of-2020","status":"publish","type":"post","link":"https://www.webroot.com/blog/2020\/10\/27\/the-nastiest-malware-of-2020\/","title":{"rendered":"The Nastiest Malware of 2020"},"content":{"rendered":"\n<p>For the third year running, we\u2019ve examined the year\u2019s biggest cyber threats and ranked them to determine which ones are the absolute worst. Somewhat unsurprisingly, phishing and RDP-related breaches remain the top methods we\u2019ve seen cybercriminals using to launch their attacks. Additionally, while new examples of malware and cybercriminal tactics crop up each day, plenty of the same old players, such as ransomware, continue to get upgrades and dominate the scene.<\/p>\n\n\n\n<p>For example, a new trend in ransomware this year is the addition of a data leak\/auction website, where criminals will reveal or auction off data they\u2019ve stolen in a ransomware attack if the victim refuses to pay. The threat of data exposure creates a further incentive for victims to pay ransoms, lest they face embarrassing damage to their personal or professional reputations, not to mention hefty fines from privacy-related regulatory bodies like GDPR. <br><br>But the main trend we\u2019ll highlight here is that of modularity. Today\u2019s malicious actors have adopted a more modular malware methodology, in which they combine attack methods and mix-and-match tactics to ensure maximum damage and\/or financial success.<\/p>\n\n\n\n<p>Here are a few\nof nastiest characters and a breakdown of how they can work together. <\/p>\n\n\n\n<ul><li><strong>Emotet botnet + TrickBot Trojan + Conti\/Ryuk\nransomware<\/strong><br>\nThere\u2019s a reason Emotet has topped our list for 3 years in a row. Even though\nit\u2019s not a ransomware payload itself, it\u2019s the botnet that is responsible for\nthe most ransomware infections, making it pretty darn nasty. It\u2019s often seen\nwith TrickBot, Dridex, QakBot, Conti\/Ryuk, BitPaymer and REvil.<br>\n<br>\nHere\u2019s how an attack might start with Emotet and end with ransomware. The\nbotnet is used in a malicious spam campaign. An unwitting employee at a company\nreceives the spam email, accidentally downloads the malicious payload. With its\nfoot in the door, Emotet drops TrickBot, an info-stealing Trojan. TrickBot\nspreads laterally through the network like a worm, infecting every machine it\nencounters. It \u201clistens\u201d for login credentials (and steals them), aiming to get\ndomain-level access. From there, attackers can perform recon on the network,\ndisable protections, and drop Conti\/Ryuk ransomware at their leisure.<\/li><\/ul>\n\n\n\n<ul><li><strong>Ursnif Trojan + IcedID Trojan + Maze\nransomware<br>\n<\/strong>Ursnif, also known as Gozi or Dreambot, is a banking Trojan that has\nresurfaced after being mostly dormant for a few years. In an attack featuring\nthis troublesome trio, Ursnif might land on a machine via a malicious spam\nemail, botnet, or even TrickBot, and then drop the IcedID Trojan to improve the\nattackers\u2019 chances of getting the credentials or intel they want. (Interestingly,\nIcedID has been upgraded to use steganographic payloads. Steganography in\nmalware refers to concealing malicious code inside another file, message, image\nor video.) Let\u2019s say the Trojans obtain the RDP credentials for the network\nthey\u2019ve infected. In this scenario, the attackers can now sell those\ncredentials to other bad actors and\/or deploy ransomware, typically Maze. (Fun\nfact: Maze is believed to have \u201cpioneered\u201d the data leak\/auction website\ntrend.)<\/li><\/ul>\n\n\n\n<ul><li><strong>Dridex\/Emotet malspam + Dridex Trojan +\nBitPaymer\/DoppelPaymer ransomware<\/strong><\/li><\/ul>\n\n\n\n<p>Like TrickBot, Dridex is another very popular\nbanking\/info-stealing Trojan that\u2019s been around for years. When Dridex is in\nplay, it is either dropped via Emotet or its authors\u2019 own malicious spam\ncampaign. Also like TrickBot, Dridex spreads laterally, listens for\ncredentials, and typically deploys ransomware like BitPaymer\/DoppelPaymer.<\/p>\n\n\n\n<p>As you can see,\nthere are a variety of ways the attacks can be carried out, but the end goal is\nthe more or less the same. The diverse means just help ensure the likelihood of\nsuccess. <\/p>\n\n\n\n<p>The characters\nmentioned above are, by no means, the only names on our list. Here are some of\nthe other notable contenders for Nastiest Malware.<\/p>\n\n\n\n<ul><li><strong>Sodinokibi\/REvil\/GandCrab ransomware <\/strong>\u2013\nall iterations of the same ransomware, this ransomware as a service (RaaS)\npayload is available for anyone to use, as long as the authors get a cut of any\nsuccessful ransoms. <\/li><li><strong>CrySiS\/Dharma\/Phobos ransomware <\/strong>\u2013 also RaaS\npayloads, these are almost exclusively deployed using compromised RDP\ncredentials that are either brute-forced or easily guessed. <\/li><li><strong>Valak <\/strong>\u2013 a potent multi-functional malware\ndistribution tool. Not only does it commonly distribute nasty malware such as IcedID\nand Ursnif, but it also has information stealing functionalities built directly\ninto the initial infection.<\/li><li><strong>QakBot <\/strong>\u2013 an info-stealing Trojan often\ndropped by Emotet or its own malspam campaigns with links to compromised\nwebsites. It\u2019s similar to TrickBot and Dridex and may be paired with ProLock\nransomware.<\/li><\/ul>\n\n\n\n<h2>Combine protections to combat\ncombined attacks. <\/h2>\n\n\n\n<p>If businesses want to stay\nsafe, they need to implement multiple layers of protection against these types\nof layered attacks. Here are some tips from our experts.<\/p>\n\n\n\n<ul><li><strong>Lock down RDP.<\/strong>\nSecurity analyst Tyler Moffitt says unsecured RDP has risen over 40% since the\nCOVID-19 pandemic began because more businesses are enabling their workforce to\nwork remotely. Unfortunately, many are not doing so securely. He recommends\nbusinesses use RDP solutions that encrypt the data and use multi-factor\nauthentication to increase security when remoting into other machines.<\/li><li><strong>Educate end users about\nphishing.<\/strong> Principal product manager Phil Karcher points out that many of\nthe attack scenarios listed above could be prevented with stronger\nphishing\/spam awareness among end users. He recommends running regular security\ntraining and phishing simulations with useful feedback. He also says it\u2019s\ncritical that employees know when and how to report a suspicious message.<\/li><li><strong>Install reputable cybersecurity\nsoftware.<\/strong> Security intelligence director Grayson Milbourne can\u2019t stress\nenough the importance of choosing a solution that uses real-time threat\nintelligence and offers multi-layered shielding to detect and prevent multiple\nkinds of attacks at different attack stages.<\/li><li><strong>Set up a strong backup and\ndisaster recovery plan.<\/strong> VP of product management Jamie\nZajac says that, particularly with a mostly or entirely remote workforce,\nbusinesses can\u2019t afford not to have a strong backup. She strongly recommends\nregular backup testing and setting alerts and regular reporting so admins can\neasily see if something\u2019s amiss.<\/li><\/ul>\n\n\n\n<p>Discover more about the 2020\u2019s\nNastiest Malware on <a href=\"https:\/\/community.webroot.com\/news-announcements-3\/nastiest-malware-2020-345251\">the Webroot Community.<\/a><br>\n<br>\n<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For the third year running, we\u2019ve examined the year\u2019s biggest cyber threats and ranked them to determine which ones are the absolute worst. Somewhat unsurprisingly, phishing and RDP-related breaches remain the top methods we\u2019ve seen cybercriminals using to launch their attacks. Additionally, while new examples of malware and cybercriminal tactics crop up each day, plenty [&hellip;]<\/p>\n","protected":false},"author":151,"featured_media":30607,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[21940,21944],"yst_prominent_words":[],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/30605"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/151"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=30605"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/30605\/revisions"}],"predecessor-version":[{"id":30613,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/30605\/revisions\/30613"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/30607"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=30605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=30605"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=30605"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=30605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}