Security Report: Double Extortion Ransomware Attacks

Security Report: Double Extortion Ransomware Attacks - Image by Cliff Hang on Pixabay

Share post

Double-extortion is increasingly the keyword in cases of ransomware attacks. The attackers put the victim under double pressure: either they pay to have their data decrypted or the attackers publish the data. This and more in the WatchGuard Threat Lab Internet Security Report Q2/2023.   

WatchGuard Technologies' Second Quarter 2023 Internet Security Report highlights top malware trends and threats to network and endpoint security. The analysis by researchers at the WatchGuard Threat Lab revealed, among other things, that 95 percent of malware is transmitted over encrypted connections. Further insight: Although there is less endpoint malware overall, corresponding campaigns are broader in scope.

Double-Extortion Attacks in Ransomware

A similar development can be seen with regard to ransomware. There were fewer of these in circulation during the period examined, but individual attacks were much more often aimed at encryption and data theft. The so-called “double-extortion attacks”, in which companies are blackmailed not only by releasing “hijacked” systems but also by publishing stolen data, are now being observed much more frequently. At the same time, older software vulnerabilities continue to be a popular means to an end for attackers.

“The data our Threat Lab analyzed for the latest report shows that advanced malware attacks fluctuate in frequency and that multi-faceted cyber threats are consistently evolving. Combating these effectively requires constant vigilance and a multi-layered security approach,” said Corey Nachreiner, Chief Security Officer at WatchGuard. “There is no ONE strategy on the part of attackers and certain threats often pose different risks at different times of the year. Companies must therefore always be on guard and keep an eye on the situation at all times. In addition, a uniform, comprehensive and stringent security concept is important for optimal protection. Managed service providers can leverage decisive strengths in implementation here.”

Key findings from the WatchGuard Internet Security Report Q2-2023

95 percent of malware is hidden behind encryption

Much of the malware hides behind the SSL/TLS encryption used by secure websites. Companies that do not check SSL/TLS traffic at the network perimeter are most likely missing out on an enormous amount of malware. Additionally, the share of zero-day malware in total malware volume has fallen to 11 percent - a historic low. However, when examining malware transmitted over encrypted connections, more evasive malware was detected. Their share is 66 percent for the study period. This suggests that attackers are still primarily spreading the particularly sophisticated malware using encryption.

Overall volume of endpoint malware is declining slightly, while the prevalence of malware campaigns is increasing

Endpoint malware detections declined slightly by 8 percent in the second quarter compared to the previous quarter. However, when looking at endpoint malware hit frequency by occurrence on 10 to 50 systems or 100 or more systems, the volume increased by 22 and 21 percent, respectively. This suggests that more widespread malware campaigns in particular increased from the first to the second quarter.

Double extortion attacks by ransomware groups are increasing by 72 percent compared to the previous quarter

As part of the analysis, the Threat Lab discovered 13 new extortion groups. Although double extortion attacks increased significantly, ransomware detections on endpoints fell 21 percent quarter-over-quarter and 72 percent year-over-year.

Six new malware variants in the top 10 endpoint detections

The Threat Lab has seen a massive increase in hits related to the compromised 3CX installer. With a 48 percent share of the total volume, this relevant threat scenario is guaranteed first place in the top 10 list of malware threats in the second quarter. Additionally, the Glupteba Trojan resurfaced in early 2023 after largely disappearing from the scene in 2021.

Threat actors rely on LOLBAS to deliver malware

When analyzing attack vectors and how threat actors gain access to endpoints, there has been an increase in Living Off The Land Binaries And Scripts (LOLBAS) attacks. There was a 29 percent increase in cases of misuse of Windows operating system tools such as WMI and PSExec. This represents 17 percent of the total volume, while malware that relies on scripts such as PowerShell decreased by 41 percent. Scripts remain the most common way malware spreads, accounting for 74 percent of detections. Browser-based exploits fell 33 percent and represented 3 percent of total volume in the second quarter of this year.

Cybercriminals continue to target older software vulnerabilities

Threat Lab researchers identified three new signatures based on older vulnerabilities in the top 10 network attacks in the second quarter. One of them dates back to 2016 and is linked to the vulnerability of an open source learning management system that was decommissioned in 2018.

Compromised domains on WordPress blogs and link shortening service

When searching for malicious domains, the team found “self-managed websites” (e.g. WordPress blogs) and a URL shortener, among other things. These have been compromised and used as hosts for malware or malware command and control systems. In addition, the WatchGuard Threat Lab discovered a website infiltrated by the Qakbot gang from an educational competition in the Asia-Pacific region, which hid the botnet's command-and-control infrastructure.

All insights are based on the WatchGuard Unified Security Platform concept and in accordance with previous quarterly evaluations on the anonymized, aggregated data of all active WatchGuard network and endpoint protection solutions whose owners have agreed to share the threat intelligence to support the Threat Lab's research work have.

As part of the current Internet Security Report, the Threat Lab team's methods, which have been updated since the previous edition, are again used to normalize, analyze and present the report results. Network security results are presented as averages per device. There are also advanced evaluations around network attacks and malware at the endpoint.

More at


About WatchGuard

WatchGuard Technologies is one of the leading providers in the field of IT security. The extensive product portfolio ranges from highly developed UTM (Unified Threat Management) and next-generation firewall platforms to multifactor authentication and technologies for comprehensive WLAN protection and endpoint protection, as well as other specific products and intelligent services relating to IT security . More than 250.000 customers worldwide rely on the sophisticated protection mechanisms at enterprise level,


Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more