Huge rise in endpoint ransomware

Share post

WatchGuard's Internet Security Report Q4/2022 shows the increase in endpoint ransomware and less network malware. The analysis confirms that encrypted connections have become the method of choice for spreading malware.

The latest WatchGuard Internet Security Report (ISR) for the fourth quarter of 2022 shows how massively end devices are the focus of attackers. While the number of malware detected on the network is declining, the researchers at the Threat Lab have seen a surge in ransomware on endpoints - the increase is a staggering 627 percent.

Over 600 percent more ransomware on end devices

🔎 1: Internet Security Report Q4/2022 (Image: WatchGuard).

Another key finding: Despite the general decline in malware occurrences, a concentration in encrypted data traffic is evident. Firebox appliances with HTTPS (TLS/SSL) decryption enabled experience far more attempts to do so than Fireboxes that do not use decryption. Since the latter make up 80 percent of the total population in the study, the number of unreported malware should not be underestimated. Unfortunately, the topic is not new to Corey Nachreiner, Chief Security Officer at WatchGuard: “It represents an ongoing and worrying trend in our data and analysis that encryption – or rather the lack of decryption at the network perimeter – is preventing a clear view of the Malware attack trends clouded over. Enabling HTTPS inspection is crucial for security professionals. This is the only way to ensure that threats can be identified and countered before they cause damage.”

The most important results of the Q4 Internet Security Report

Sixfold increase in ransomware targeting endpoints

This tremendous increase underscores the need for targeted ransomware defenses, such as advanced security controls for proactive prevention and proven backup plans for disaster recovery and business continuity.

93 percent of malware is hidden behind encryption

WatchGuard Threat Lab research continues to show that the lion's share of malware lurks in SSL/TLS ciphers used by secure websites. This trend continued in the fourth quarter with an increase from 82 percent to 93 percent. Security professionals who fail to screen this traffic as part of network security checks are likely to miss the bulk of the malware and rely even more on powerful endpoint security functionality.

Network-based malware down 9,2 percent sequentially

🔎 2: Internet Security Report Q4/2022 (Image: WatchGuard).

This continues the general decline in malware detections over the past two quarters. However, as already mentioned, encrypted internet traffic shows a completely different picture. The Threat Lab team believes this declining trend may not reflect the whole truth and needs more data from examined HTTPS connections to confirm this claim.

22 percent more endpoint malware

Although less network malware was recorded, there were more hits on the end device side in the fourth quarter. This supports the Threat Lab team's hypothesis that malware is increasingly moving to encrypted channels. At the endpoint, TLS connections play a less important role, as these can be decrypted by the browser and thus examined by the threat lab's endpoint software. Most detections (90 percent) were related to scripts. In terms of browser malware, Internet Explorer leads with 42 percent of the total detected compromise attempts, followed by Firefox with 38 percent.

Share of zero-day or evasive malware in unencrypted traffic down to 43 percent

While this still represents a significant percentage of total malware detections, it is the lowest the Threat Lab team has observed in years. However, the picture changes completely when looking at TLS connections: here 70 percent of malware over encrypted connections are not detected by the signatures.

Phishing campaigns on the rise

🔎 3: Internet Security Report Q4/2022 (Image: WatchGuard).

Three of the malware variants featured in the report's top 10 list (some of them also in the most prevalent malware list) support various phishing campaigns. The most commonly detected malware family, JS.A gent.UNS, contains malicious HTML code. This redirects users to legitimate-sounding domains masquerading as well-known websites. Another variant, Agent.GBPM, creates a SharePoint phishing page titled "PDF Salary_Increase" that attempts to steal user account information.

The latest new variant in the top 10, HTML.Agent.WR, opens a fake DHL notification page in French with a login link leading to a known phishing domain. Phishing and business email compromise (BEC) remain among the top attack vectors. Businesses should ensure they have both the right preventive measures and security awareness training programs in place to protect against this.

ProxyLogin exploits continue to proliferate

An exploit for this well-known and critical Exchange issue rose from eighth place in the third quarter to fourth place last quarter in the ranking of related threats. This vulnerability should have been patched long ago. If this has not yet happened, those responsible for security must pay particular attention to this. Because old vulnerabilities can be just as useful as a stepping stone for attackers as new ones. Basically, many attackers continue to target Microsoft Exchange Server or management systems. Companies need to be aware of this and know where they have weaknesses in defense.

Volume of network attacks flat compared to previous quarter

With 35 more attacks (a 0,0015 percent increase), the change on this front is barely noticeable and the smallest it's been in a long time.

Danger of LockBit ransomware or malware ever-present

The WatchGuard Threat Lab continues to encounter LockBit variants frequently, no doubt due to the track record of such attacks. Although the number of victims decreased compared to the previous quarter, it still accounts for the majority of publicly reported incidents - the WatchGuard Threat Lab counts a total of 149 cases (compared to 200 in Q3). In addition, 2022 new ransomware and extortionist groups were discovered in the fourth quarter of 31.

WatchGuard's quarterly research reports are based on de-identified Firebox Feed data from active WatchGuard Fireboxes whose owners have consented to the sharing of data to support the Threat Lab's research. In the fourth quarter, WatchGuard blocked a total of more than 15,7 million malware variants (194 per device) and over 2,3 million network threats (28 per device). The full report details other malware and network trends from Q2022 XNUMX, recommended security strategies, key defense tips for organizations of all sizes and industries, and more.

More at


About WatchGuard

WatchGuard Technologies is one of the leading providers in the field of IT security. The extensive product portfolio ranges from highly developed UTM (Unified Threat Management) and next-generation firewall platforms to multifactor authentication and technologies for comprehensive WLAN protection and endpoint protection, as well as other specific products and intelligent services relating to IT security . More than 250.000 customers worldwide rely on the sophisticated protection mechanisms at enterprise level,


Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more