Trojans overtake ransomware for the first time in several months

Telecommunications, health care and education are the sectors with the most attacks.

For the first time in over a year, ransomware was not the top threat seen in attacks reported in the Cisco Talos Incident Response (CTIR) report, in Q2 2022, as commodity trojans – offered for sale as widely available and easily accessible merchandise – they outperformed ransomware by a narrow margin.

Compared to previous quarters, ransomware represented a significantly lower percentage, comprising 15 percent of all threats seen this quarter compared to 25 percent the previous quarter. This can be attributed to several factors, such as the recent takedowns of ransomware groups by security forces in different countries and their continued internal fracturing.

Main threats

• The telecommunications sector was once again the most attacked, continuing the trend of the last quarter.
  • The health care and education sectors were the next most targeted.
• Well-known ransomware-as-a-service (RaaS) groups, such as Conti and BlackCat, targeted organizations seeking large ransoms.
  • Conti announced the cessation of its operations earlier this year, although the possible effects on the ransomware landscape are still unknown.
  • A new RaaS variant called “Black Basta” is an alleged rebrand from Conti and is likely to be a threat in the coming quarters.
• LockBit ransomware released a new version that includes new cryptocurrency payment options for victims, additional extortion tactics, and a new bug bounty program.

other lessons

• Basic malware was the top threat seen this quarter, accounting for 20% of threats. The next most watched threats were phishing, business email threat (BEC), and insider threats.
• As in the first quarter of 2022, we continue to see email-based threats leveraging various social engineering techniques to entice users to click or execute a certain link or file.
• One notable case reported to CTIR was a previously unknown ransomware variant that had artifacts and components that overlapped with at least three other ransomware families.
• The main target country remains the United States. Other organizations targeted are seen globally in Europe, Asia, North America and the Middle East.

How organizations can protect themselves.

SNORT® firewalls and guidelines protect against commodity malware

Email security tools and Trojan malware analytics platforms protect users from targeted phishing emails and compromised business emails, which were commonly used by adversaries this quarter.

The top recommendation for organizations this quarter is to implement multi-factor authentication (MFA) across all critical services, as well as implement endpoint detection and response solutions to record malicious activity on organizations’ networks and machines.

The full Cisco Talos report is at this link (does not require registration).

How to apply for the 2022 Innovation Awards?