The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. You can find all previous debriefs here.
Highlight of the month: 2022 – Another year of ransomware!?
The year 2021 was marked with professionalization of ransomware groups. While there are still plenty of opportunistic attacks and for-fee ransomware-as-a-service offerings (RaaS 1.0), the modern profit-sharing ransomware model (RaaS 2.0) is the real danger.
REvil, Maze, Conti, BlackMatter, and others have shown how much damage this new generation of ransomware operators with affiliates programs can cause. Being financially motivated, they keep improving and inventing new methods to increase pressure on their victims, leading to higher yields. In 2021, we have seen ransom demands in the range of tens of millions of dollars. In 2022, software supply chain attacks can be the force multiplier that will push the ransom demands over $100M mark.
Or not. Large scale attacks also bring attention, and 2021 was a year when ransomware stopped being a concern only for cybersecurity and tech communities and found its place in mainstream media headlines and board meetings. Most cybercriminals prefer to keep a low-profile and stay in the shadows – and this unnecessary attention is bad for their business.
To learn more how Ransomware-as-a-Service groups work, what motivates them, how they operate, and how to fight against them, listen to our (on-demand) webinar Fighting REvil: Insights from the Frontline, where we talked to members of our elite DRACO team.
Is the RaaS 2.0 model going to stay (or even expand), evolve into something new, or is it too much of a threat to be sustainable in a long-term? Only time will tell. Stay safe, follow the security best practices and keep an eye on the latest trends and tactics.
Spear phishing attacks are often used as an initial attack vector. Ransomware infection is often the final stage of the same kill chain. For this report, we analyzed malware detections collected in December 2021 from our static anti-malware engines. Note: we only count total cases, not how monetarily significant the impact of infection is. Opportunistic adversaries and some Ransomware-as-a-Service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer more volume instead of higher value.
When looking at this data, remember these are ransomware detections, not infections.
Top 10 ransomware families
For this report, we analyzed 9 million malware detections from December 1st to December 31st. In total, we identified 232 ransomware families. Number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries.
Top 10 countries
In total, we detected ransomware from 155 countries in our dataset this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Most ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections.
Top 10 industries
For our dataset, we have been able to assign 20% of detections to specific industries. Telecommunications services are particularly high as their customers are included within the detections.
Below are the top 10 trojans that we have seen in our telemetry for December 2021.
Android.Trojan.Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
Android.InfoStealer.XY – Obfuscated applications that masquerade as mobile antiviruses. When the malware app is first run, it checks if there is any AV solution installed and it tricks the user to uninstall it. It exfiltrates sensitive data, downloads and installs other malware and displays adware.
Android.Trojan.HiddenApp.AID - Aggressive adware that impersonates adblock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.
Android.Trojan.SLocker.BRM - Applications that block access to devices by displaying a screen that appears over every window, so that the user is frozen. This is a simplistic version of mobile ransomware.
Android.Trojan.Banker VF, XH, XI - Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express ...). Once installed, it locates banking applications installed on the device and tries to download a trojanized version from the C&C server.
Android.Trojan.Banker.XX - Applications that impersonate Korean banking applications to record audio and video, collect sensitive information and upload it to a C&C server.
Android.SpyAgent.EA – Applications that exfiltrate sensitive data.
Trojan.Dropper.AIF - Polymorphic applications that drop and install encrypted modules. After the first run, their icons are hidden from the launcher.
Homograph phishing report
Here we focus on homograph attacks that abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports.
Below is the list of the top 10 most common targets for phishing sites.
About Bitdefender threat debrief
The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions.
To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.
We would like to thank Bitdefenders Alin Damian, Mihai Leonte, Ioan Marculet, Andrei Mogage, Ioan Stan, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together.