- The malware, which made its debut in 2014, jumps 976.7% in the first half
- Ransomware developers continue their shift toward more lucrative and efficient monetisation methods.
- The cloud remains a popular target for malicious actors, with some capitalising on old and persistent issues such as misconfiguration and others attempting to develop more novel and unconventional methods to launch attacks on cloud infrastructure.
Emotet continues to thrive in the first half of 2022 and saw a whopping 976.7 per cent increase compared to the first half of 2021, according to Trend Micro’s mid-year cybersecurity report.
As part of a malware-as-a-service (MaaS) scheme, malicious actors used Emotet as a loader to deploy Conti and other ransomware families to Emotet-infected systems that malicious actors deemed profitable.
Indeed, researchers from Advintel named Conti operators as one of the reasons behind Emotet’s recent resurgence.
In the first half of this year, there were 148,701 Emotet detections globally compared to 13,811 a year ago, with Japan having the highest number of detections, followed by the US and India.
Emotet made its debut in 2014 and is known to have been used by operators of other malware such as Conti and Ryuk in their attacks. In 2021, its infrastructure was taken down through the collaborative effort of various law enforcement agencies from different countries.
Widening digital attack
“In the first half of 2022, cybersecurity teams found themselves scrambling to keep on-site, hybrid, and remote work setups secure against cybercriminals who are quick to take advantage of this scattered labour pool and a widened digital attack surface to launch critical attacks and exploit vulnerabilities,” the report showed.
In May 2022, the firm analysed Emotet infections across various regions and discovered that while the attacks still relied on spam campaigns, it also added small changes to its routine, such as using Excel 4.0 macros for its downloading procedure instead of using Visual Basic for Applications (VBA).
Other changes that were implemented in these recent Emotet infections include streamlined payloads and additional obfuscation techniques. Perhaps most importantly, the operators of Emotet have since added Cobalt Strike to their arsenal since the botnet’s reappearance, making newer Emotet campaigns more dangerous.
Aside from upping the ante by using MaaS schemes in their attacks, malicious actors are also continuously expanding their attack reach by targeting one of the most powerful operating systems used in cloud platforms and servers worldwide – Linux.
Issues in critical infrastructures
In October 2021, LockBit Linux-ESXi Locker version 1.0 started targeting and encrypting ESXi servers. This year, we discovered a new ransomware variant, called Cheerscrypt that also targeted ESXi servers.
Successful infection of these servers, which are widely used by enterprises, could cause significant security issues in critical infrastructures.
The emergence of these new Linux ransomware families directly corresponds to what we saw in our SPN data for the first half of the year: a 75 per cent increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the first half of 2021.
In the first half of the year, three RaaS threat actors stood above the rest: Conti, LockBit, and BlackCat, each of which saw significantly higher detections in the first half of the year compared to the first half of 2021, indicating that cybercriminals are increasingly turning toward a RaaS partnership due to the benefits it provides for both parties.
The security firm also observed relatively new ransomware families such as Black Basta, Nokoyawa, and Hive being used in high-profile attacks on big-game targets.
Based on the data gathered, there were 67 active RaaS and extortion groups and over 1,200 victim organisations that were reported in the first six months of this year alone.
According to Trend Micro’s security predictions for this year, the firm foresaw that ransomware families would go after bigger targets using more advanced methods of extortion — a prediction that fits the bill of the notable ransomware families that we reported on in the first half of 2022.
Another notable ransomware family, called Nokoyawa, surfaced in the first half of this year and targeted victims in the South American region, specifically in Argentina.
Nokoyawa shares common tools and techniques with Hive, a notorious ransomware family that was used to launch ransomware attacks on more than 300 US healthcare organisations in 2021.
“After analysing Nokoyawa’s technical details, we were able to observe the distinctions between the two ransomware families: Their binaries were compiled using different languages, and Nokoyawa did not use any packet whatsoever while Hive used UPX,” the report showed.
The report also revealed that cloud misconfiguration is still a top concern, while cloud-based cryptocurrency-mining attacks that use evolutionary tactics are on the rise.
In recent years, cloud-based containers have enabled organisations to optimise their processes and development cycles. Because of the ubiquity of these containers and the fact that many such platforms are misconfigured, they continue to be targeted by cybercriminals.
According to a May 2022 survey from Red Hat, 53 per cent of survey respondents composed of 300 DevOps, engineering, and security professionals said that they detected a misconfiguration in their containers and/or Kubernetes deployments.
Meanwhile, Trend Micro Cloud One Conformity data shows the tools and services with the highest levels of service misconfiguration rates (based on total checks) from Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). In particular, Azure’s activity log service had high misconfiguration rates and was associated with a high number of high-risk rules (based on Conformity risk level rating).
Moreover, Trend Micro observed that cybercriminal teams remained invested in stealing cryptocurrency-mining capabilities from victims’ resources in the first half of the year by continuously upgrading their attack arsenals and tactics.
Based on research conducted in 2021 and published earlier this year, Trend Micro determined the five most prominent malicious actor groups in the cryptocurrency mining space and how they had conducted their operations – Outlaw, TeamTNT, Kinsing, 8220 and Kek Security.