Highlight of the month: Ukraine Conflict
In reaction to the ongoing conflict in Ukraine, Romania’s National Cyber Security Directorate (DNSC) announced a partnership with Bitdefender to provide technical consulting, threat intelligence and, free of charge, cybersecurity technology to any business, government institution, or private citizen of Ukraine for as long as it is necessary.
This situation is still developing, and it is important to stay informed and vigilant. Security incidents have been more subdued than initially feared at this time. Reported security incidents are mostly distributed denial of service (DDoS) attacks and occasional deployment of wiper malware. So far, we have not seen any verified reports of industrial control systems (ICS) breaches like the paralyzing power supply attacks in Ukraine in 2015 and 2016.
Recent assessments indicate the likelihood of being targeted by a malicious actor in the coming days and weeks will not be the same for every organization. That is, while there is always a chance of coming under attack from a nation-state APT group, the daily risks and most likely threats still arise from cybercrime in general, and technical threats such as ransomware. In Bitdefender’s most recent blog, we discussed several tiers of organizational factors that tie into consideration of risk.
Spear phishing attacks are often used as an initial attack vector and ransomware infection is often the final stage of the kill chain. For this report, we analyzed malware detections collected in February 2022 from our static anti-malware engines. Note: we only count total cases, not how monetarily significant the impact of infection is. Opportunistic adversaries and some Ransomware-as-a-Service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer volume over higher value.
When looking at this data, remember these are ransomware detections, not infections.
Top 10 Ransomware Families
We analyzed malware detections from February 1 to February 28. In total, we identified 244 ransomware families. Number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries.
Top 10 Countries
In total, we detected ransomware from 154 countries in our dataset this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections.
Top 10 Industries
For our dataset, we have been able to assign 18% of detections to specific industries. Telecommunications services are particularly high as their customers are included within the detections.
Below are the top 10 trojans targeting Android we have seen in our telemetry during February 2022.
Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
InfoStealer.XY – Obfuscated applications that masquerade as mobile antiviruses. When the malware app is first run, it checks if there is any AV solution installed and it tricks the user to uninstall it. It exfiltrates sensitive data, downloads and installs other malware and displays adware.
HiddenApp.AID - Aggressive adware that impersonates ad block applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.
SpyAgent.DW - Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.
Banker.YM - Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive command and upload sensitive information.
SpyAgent.EA – Applications that exfiltrate sensitive data.
Dropper.AIF - Polymorphic applications that drop and install encrypted modules. After the first run, their icons are hidden from the launcher.
Banker.XJ – Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive command and upload sensitive information.
SpyAgent.EM – Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.
Banker. XX - Applications that impersonate Korean banking applications to record audio and video, collect sensitive information and upload it to a C&C server.
Homograph Phishing Report
Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports.
Below is the list of the top 10 most common targets for phishing sites.
About Bitdefender Threat Debrief
The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions.
To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.
We would like to thank Bitdefenders Alin Damian, Mihai Leonte, Ioan Marculet, Andrei Mogage, Ioan Stan, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together.