Webroot's Nastiest Malware List Highlights Attack Sophistication

Company impersonation continues to be a widespread concern as 2019.

Edward Gately, Senior News Editor

October 29, 2019

5 Min Read
Threat Detection Malware

Phishing attacks are getting more complex and sophisticated as cybercriminals make use of access to more personal information.

That’s according to Webroot‘s third annual Nastiest Malware list, shedding light on 2019’s worst cybersecurity threats. Consumers and businesses alike need to become savvier and take cybersecurity education seriously in order to limit their risk, it said.

Tyler Moffitt, security analyst with Webroot, tells us business email compromise (BEC) has done significant damage, with more than $26 billion made from this scam in the past three years, according to FBI statistics.


Webroot’s Tyler Moffitt

“We expect this trend to continue in the coming years as ongoing data exposures provide cybercriminals with more stolen personal information to better tailor their attacks to individual victims,” he said. “The report demonstrates that SMBs continue to struggle with security, hindered by severely limited security budgets and talent. This highlights a huge opportunity for MSPs and MSSPs, who can alleviate the problem by providing more strong, yet affordable security solutions. The report also underlines the prevalence and dexterity of cybercrimals and their use of phishing, highlighting the need for security awareness training programs and phishing simulators, prime solutions for MSPs and MSSPs to offer their customers to see real return. ”

Webroot’s 2019 Nastiest Malware includes:

  • Ransomware, which continued to see success by evolving a more targeted model initially adopted in previous years.

  • Phishing campaigns have become more personalized and extortion emails claimed to have captured lude behavior using compromised passwords.

  • Botnets remained a dominant force in the infection attack chain and no other type of malware delivered more payloads of ransomware or cryptomining.

  • Cryptomining and cryptojacking, as cryptomining is low-risk, guaranteed money, while also less malicious and profitable than ransomware.

Under ransomware, Emotet-Trickbot-Ryuk, the “triple threat,” is one of the most successful chains of 2019 in terms of financial damages. These strains have shifted their focus to more reconnaissance-based operations. They assign a value to the targeted network post-infection and then send the ransom for that amount after moving laterally and deploying the ransomware, according to Webroot.

“It’s been surprising to see the Emotet botnet continue to evolve and wreak havoc in different ways, whether that’s delivering cryptomining payloads or ransomware infections via Trickbot/Ryuk or Dridex/Bitpaymer,” Moffitt said. “After being the most prevalent and persistent botnet last year, Emotet again claimed the title of nastiest this year despite being shut down from June to September.”

Also, GandCrab is one the most successful instances of ransomware as a service (RaaS) to date, and the authors have boasted shared profits in excess of $2 billion. Sodinokibi-Sodin/REvil arose after the retirement of GandCrab. and it’s not uncommon for successful threat actors who receive a lot of attention to try to start new projects in an attempt to remain successful.

Back for its second year on the list, Crysis/Dharma ransomware was actively distributed in the first half of 2019 and almost all infections observed were distributed through remote desktop protocol (RDP) compromise.

Under phishing, company impersonation continues to be a widespread concern as 2019 continued to prove that failure to follow best practices – including reuse and sharing of passwords, and familiarity with the top impersonated brands like Microsoft, Facebook, Apple, Google and PayPal – caused significant damage.

Also, BEC tricked victims into giving up wire transfers, credentials, gift cards and more.

Under botnets, Emotet continued its dominance in 2019. Despite a brief shutdown in June, Emotet resurfaced in September as the largest botnet delivering varying malicious payloads.

Also, Trickbot’s modular infrastructure makes it a serious threat for any network it infects. Its combination with Ryuk ransomware is one of the more …

… devastating targeted attacks of 2019, according to Webroot. And Dridex, once considered one of the most prominent banking trojans, is now used as an implant in the infection chain with Bitpaymer ransomware.

“As evidenced by the growing threat of social engineering scams like company impersonation and BEC, organizations are failing to implement sufficient and consistent security awareness training programs,” Moffitt said. “Organizations also need to establish a layered approach to security to ensure protection against cybercriminals’ evolving tactics. Beyond that, just some basic best practices can keep your organization from being caught with their pants down — locking down RDP, disabling macros and powershell for the 95% of employees that never use it, and stronger password security.”

ServiceNow Research

Also Tuesday, ServiceNow research shows that despite a 24% average increase in annual spending on prevention, detection and remediation in 2019 compared with 2018, patching is delayed an average of 12 days due to data silos and poor organizational coordination. The average timeline to patch is 16 days.

At the same time, there was a 17% increase in cyberattacks over the past year, and 60% of breaches were linked to a vulnerability where a patch was available, but not applied.

“This study shows the vulnerability gap that has been a growing pain point for CIOs and CISOs,” said Sean Convery, general manager of ServiceNow security and risk. “Companies saw a 30% increase in downtime due to patching of vulnerabilities, which hurts customers, employees and brands. Many organizations have the motivation to address this challenge, but struggle to effectively leverage their resources for more impactful vulnerability management. Teams that invest in automation and maturing their IT and security team interactions will strengthen the security posture across their organizations.”

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like