Anti-virus providers’ technology is getting better and better, identifying new attacks on company networks or private PCs and laptops every day. Consequently, malware authors are forced to use sophisticated methods to protect their malware from detection by protection programs - it’s an endless cat-and-mouse game.
However, this is not always successful. Last year, experts at G DATA discovered more than 13,500 variants of known malware families every day. By far the most active was the GandCrab ransomware. The malware analysts in Bochum identified over 408,000 versions - on average more than 1,100 new variants per day. The ransomware encrypts data and networks and demands a ransom from users. Only then can the data be decrypted again. However, the group behind the malware had already officially ended its activities on the 1st of June 2019. Even so, it appears that the system is still active and continuing to distribute the malicious code.
In second and third places are njRAT, with 208,000 versions, and BlackShades, with 193,000. Both belong to the group of Remote Access Trojans, which cyber criminals use to take administrative control of the target system. The best-known malware family, Emotet, ranks sixth in the annual charts, with over 70,800 different samples. An average of 194 new versions of the all-purpose cyber crime weapon appeared every day. Emotet merely acts as a door opener and provides cyber criminals with access to IT networks. For comparison, in the same period last year, malware analysts discovered around 28,000 new variants.
The Malware Top Ten at a glance:
|2||njRAT||208,235||Remote Access Trojaner|
|3||BlackShades||193,105||Remote Access Trojaner|
|5||AveMariaRAT||102,374||Remote Access Trojaner|
|9||SakulaRAT||53,799||Remote Access Trojaner|
|10||Nanocore||50,535||Remote Access Trojaner|
Steal data, encrypt systems
Five of the ten most active malware families are Remote Access Trojans (RATs). This means that the malware enables remote control and administrative monitoring of a third-party computer, without the user noticing. The manipulation capabilities range from spying on passwords and reading confidential data to deleting the hard drive or encrypting files. Banking Trojans such as Tinba or Shifu are also still active. They use man-in-the-browser technology to read login data for banking applications.
It is noticeable that a large part of the malware has been in circulation for several years. For example, SakulaRAT and Tinba were first discovered in 2012, and Nanocore in 2013. This is also related to the concealment techniques the cyber criminals use to camouflage the malware. The most recent malware in the Top 10 is AveMariaRAT. This RAT was first identified by security researchers in 2018. A total of 332 different malware families are currently classified in G DATA's databases.
At the end of the year, the former banking Trojan Emotet was back in the limelight. After things had become quiet with the all-purpose cyber crime weapon in mid-2019, cyber criminals have become much more active again since the autumn. In Germany, public administrations, universities and, once again, hospitals were among the victims of the sophisticated attacks. “The initial spam emails look very authentic, so many users regard them as genuine and open the infected attachment,” says Tim Berghoff. “Users then click on the infected attachment and disaster strikes.” The malware automatically downloads other malware such as Trickbot and Ryuk to spy on additional access data and encrypt the system. Emotet even converts PowerShell and uses it as a malicious function. The result is that affected companies and administrations are left without IT and are offline for days.