Ransomware detections in the first quarter of this year have doubled the total volume reported in 2021, according to WatchGuard’s Quarterly Internet Security Report, detailing the top trends in malware and network security threats.
“Based on this year’s early ransomware spike and data from previous quarters, we predict that 2022 will break our record for annual ransomware detections,” said Corey Nachreiner, director of security at WatchGuard.
Ransomware in the spotlight
Other key takeaways from this report, which looks at Q1 2022 data, are as follows:
- Ransomware goes nuclear – Although the results of the Threat Lab’s Q4 2021 Internet Security Report revealed that ransomware attacks have been trending down year over year, everything changed in Q1 2022 with a massive explosion of ransomware detections. Surprisingly, the number of ransomware attacks detected in Q1 has already doubled the total number of detections for the entire year of 2021.
- LAPSUS$ surges after REvil crash – Q4 2021 saw the downfall of the infamous REvil cyber pool, which, in hindsight, opened the door for another pool to emerge: LAPSUS$. WatchGuard’s Q1 analysis suggests that the LAPSUS$ extortion group, along with many new ransomware variants such as BlackCat, the first known ransomware written in the Rust programming language, could be contributing factors to a broader ransomware and cyber-extortion threat landscape. constantly increasing.
- Log4Shell makes its debut in the Top 10 list of network attacks – Publicly disclosed in early December 2021, the nefarious Apache Log4j2 vulnerability, also known as Log4Shell, debuted in the top 10 network attacks at the end of this quarter. Compared to total IPS detections in Q4 2021, Log4Shell signature nearly tripled in Q1 this year. Featured as the top security incident in WatchGuard’s latest Internet Security Report, Log4Shell garnered attention for earning a perfect CVSS score of 10.0, the highest possible criticality for a vulnerability, and for its widespread use in Java programs. and the level of ease in executing arbitrary code.
WatchGuard Threat Lab reports that ransomware volume has already doubled the 2021 total by the end of Q1 2022
- Emotet returns again- Despite efforts to shut it down by law enforcement in early 2021, Emotet accounts for 3 of the top 10 detections and the most widespread malware this quarter following its resurgence in Q4 2021. Detections of Trojan.Vita, which largely targeted Japan and also appeared in the top five encrypted malware list, and Trojan.Valyria both use exploits in Microsoft Office to download the Emotet botnet. The third Emotet-related malware sample, MSIL.Mensa.4, can spread via connected storage devices and primarily targets networks in the United States. Threat Lab data indicates that Emotet acts as a dropper, downloading and installing the file from a malware delivery server.
- PowerShell scripts lead the rise in endpoint attacks – Overall endpoint detections in Q1 were up 38% from the previous quarter. Scripts, specifically PowerShell scripts, were the dominant attack vector. With 88% of all detections, scripts alone surpassed the number of total endpoint detections that had been recorded in the previous quarter. PowerShell scripts were responsible for 99.6% of script detections in Q1, showing that attackers are moving to fileless attacks and living off of legitimate tools. Although these scripts are the clear choice for attackers, WatchGuard data reveals that other malware sources should not be overlooked.
- Legitimate cryptocurrency mining operations associated with malicious activities – All three new additions to the list of top malware domains in Q1 were related to Nanopool. This popular platform aggregates cryptocurrency mining activity to allow for consistent performance. These domains are technically legitimate and associated with a legitimate organization. However, connections to these mining pools almost always originate on a business or educational network from malware infections rather than legitimate mining operations.
- Businesses still face a wide range of unique network attacks – While the top 10 IPS firms accounted for 87% of all network attacks; unique detections reached their highest count since Q1 2019. This increase indicates that automated attacks are focusing on a smaller subset of potential exploits rather than testing everything. However, companies continue to experience a wide variety of detections.
- EMEA continues to be a hotspot for malware threats – Overall regional detections of basic and evasive malware show that Fireboxes in Europe, the Middle East, and Africa (EMEA) were more affected than those in North, Central, and South America (AMER) at 57% and 22%, respectively, followed by Asia-Pacific (APAC) with 21%.
George is Digismak’s reported cum editor with 13 years of experience in Journalism