The map displays the cyber threat risk index globally, demonstrating the main risk areas around the world.*
Education, government and healthcare remain the sectors that most frequently experience cyberattacks. This has been confirmed from different sources and across multiple geographical regions, but comparing the data from ransomware attacks reveals that the manufacturing and retail sectors are the most attacked and extorted sectors by ransomware groups. One explanation for this discrepancy could be that manufacturing and retail are private sectors with the ability to pay the ransom. Attacks on the education and government sectors are aimed at stealing personally identifiable information (PII) and restricted data, both commercial and private. The underground market for “fullz”, a person’s full-information package, is fed by a seemingly never-ending series of breaches of educational and healthcare institutions. The healthcare sector is ranked high on both indexes.
The highest increase of the attacks is against the retail sector, which correlates with the retail sector being one of the top extorted sectors by ransomware, as well as the modus operandi of stealing payment card data that this sector processes and stores.
Email remains the primary vehicle for launching attacks, delivering 92% of all malicious payloads. There was a dramatic drop in the use of malicious Office files since Microsoft essentially started eliminating in-document macros, a rich source of potential exploitation, in 2022. Our data reflects an 81-96% reduction in the prevalence of malicious Excel files and a substantial decrease in other Office formats. This shift is largely attributable to major malicious spam (malspam) entities like Qbot and Emotet, in the past responsible for high-volume campaigns, which have resorted to alternative infection chains.
Instead, there has been a diversification of the infection chains and a marked increase in the use of ZIP, RAR, ISO images, and other archive formats, as well as HTML and LNK files. These have proven attractive to threat actors with a broad range of abilities. We also increasingly see threat actors utilizing DLL files as the final step in email-initiated infection chains and reducing the use of EXE files.
Notably, OneNote files (.one) - a component of the Microsoft Office suite which was seldom used previously - are widely exploited for cyberattacks. Despite the requirement of user interaction (double-clicking) to execute embedded files and attachments within OneNote, there has been a significant increase in attacks leveraging this technique since the start of the year. This strategy has enabled the distribution of malware such as Qbot, AsyncRAT, Redline, AgentTesla, and IcedID
Exploitation of PDF files is not a new trend, but its frequency is increasing and is projected to continue. For example, Qbot was used to launch an extensive campaign in April this year in which it deployed malicious PDF files in multiple languages.
The following sections of this report present data comparisons that are based on data drawn from the Check Point ThreatCloud Cyber Threat Map between January and June 2023.
For each of the regions below, we present the percentage of corporate networks impacted by each malware family, for the most prevalent malware in H1 2023.
The leading malware families fall into two primary categories. The first includes multipurpose malware such as Qbot, Emotet, and Glupteba. These are ongoing, large-scale botnet operations used for various purposes including data theft and providing system access and infectious code to other malicious actors. The second category consists of infostealers like AgentTesla, Formbook, and Lokibot. These types of malware are traded on underground forums and used by threat actors to steal diverse types of data ranging from login credentials to financial and corporate accounts, and up to credit card details.
With the evolution of the illicit market for access-brokers – those selling access to already infected victims – there has been a proportional increase in the number of infostealers. These infostealer infections typically represent the initial stage in this market, often managed by less technically proficient actors who later sell the pilfered data to more advanced actors to be used in more sophisticated attacks.
Qbot, a multipurpose malware known for its widespread phishing campaigns, was the most commonly detected malware in the first half of 2023. It is frequently utilized to deliver other malware families, including potential ransomware. Since January, Qbot orchestrated multiple malspam campaigns, compromising victims' systems through various methods. These include, but are not limited to, the use of OneNote files, PDF files, HTML smuggling, ZIP files, and more. Emotet is utilizing alternative file types, including the use of malicious OneNote files in a broad campaign in March.
The Guloader downloader released a new version in May which features fully encrypted payloads and advanced anti-analysis techniques. NjRat started the year with a comprehensive campaign infecting targets in the Middle East and North Africa.
XMrig remains the most prevalent crypto-miner which is used to generate revenue on infected platforms, often an early warning sign of a more serious infection.
In this report, we unveil a new statistical metric highlighting the most frequently utilized malicious Top-Level Domains (TLDs), as observed through Check Point's ThreatCloud AI since January 2022.
Domains, whether disguised as phishing sites or serving as the command and control (C&C) center of a prominent botnet, are frequently pivotal components of a threat actor's infrastructure. By understanding the various trends associated with TLDs, defenders can acquire another tool to evaluate the potential risk posed by certain TLDs to their organization.
Although TLDs are often thought of as something more stable in the threat landscape and as of something you do not need to keep tabs on, the recent introduction of Google's new .ZIP gTLD seemed to shatter this narrative. Google's announcement of the new .ZIP and .MOV gTLDs, which are identical to known file types, was greeted with dissatisfaction and scrutiny by the security community, as it showed new and unexpected behavior in existing applications, as well as presented even more ways to fool users and cause them to fall victim to phishing attacks.
Numerous factors may influence a threat actor's choice of one TLD over another. These include the specific organization they aim to impersonate, the availability of a particular TLD with their preferred domain registrar, or even the cost associated with the TLD.
Although less prevalent domains such as .xyz or .tk are often deemed more likely to be malicious, larger TLDs like .com and .net continue to be the more common choice for conducting malicious activities.
Presenting these statistics for the first time, we also include a historical review of 2022. In a somewhat surprising finding, we noticed a significant shift in the distribution of malicious TLDs starting from April 2022, a little more than a month after the onset of the Russian invasion of Ukraine on February 24. The proportion of malicious .RU domains in the group of all malicious TLDs surged dramatically from 2% to nearly 40%. Since then, .RU domains have consistently held the 3rd or 4th spot among all malicious TLDs. The Russian state-aligned Gamaredon APT is a regular “customer” of malicious .RU domains and is known for registering hundreds of domains through the REG.RU registrar over the past few years.
This section does not use Check Point direct sensor data, but features information derived from more than 120 ransomware shame-sites. Cybercriminals use these sites to amplify pressure on victims who do not pay the ransom immediately. Although this data comes from a dubious source and carries its own biases, it still provides valuable insights into the ransomware ecosystem, which currently poses the most significant risk to businesses. This data was collected in the period between January and June 2023.
In the first half (H1) of 2023, a total of 48 ransomware groups reported breaching and publicly extorting more than 2,200 victims. Among the active groups, Lockbit3 was the most prolific during this period, accounting for 24% of all reported victims with more than 500 cases. This represents a 20% increase in the number of reported Lockbit3 victims compared to H1 2022.
Veteran groups such as Lockbit, Alphv, and Cl0p have been joined by newer groups like Royal, Play, BianLian, and BlackBasta. The emergence of these new groups is partly attributed to the termination of the Hive and Conti Ransomware-as-a-Service (RaaS) groups. Rebranding is a common strategy employed within the ransomware ecosystem to impede law enforcement investigations. It is likely that the individuals behind these new operations are experienced actors who previously operated under different aliases and groups.
In terms of geographical distribution, 45% of affected companies are located in the United States, followed by the United Kingdom (7%) and Canada (4%). This distribution pattern aligns with previous years and underscores the focus of American authorities on combating ransomware.
This commitment was demonstrated by a US-led operation against the Hive ransomware group in January 2023, when the FBI successfully infiltrated Hive's computer networks, obtained decryption keys, and thereby prevented potential ransom payments of $130 million, all of which ultimately resulted in the group’s takedown. The unexpected presence of Russian entities among the victims is attributed to the emergence of a novel actor known as MalasLocker. Appearing in April 2023, MalasLocker has adopted an unconventional approach by substituting traditional ransomware demands with charitable donations. Notably, MalasLocker has targeted over 170 victims, with approximately 30% of them being Russian entities. This selection of victims within the ransomware ecosystem is highly atypical, as attacks on former Soviet Union targets are usually avoided.
Considering the industry sectors impacted by ransomware attacks, while data drawn from the Check Point ThreatCloud Cyber Threat Map places the education, government, and healthcare sectors as primary targets, the ransomware victim landscape presents a different perspective. Manufacturing and retail produce the most victims, with government and education entities ranking lower in the target hierarchy. This divergence likely stems from the varying capacities and inclinations of these sectors to comply with ransom demands, with educational and governmental organizations being less inclined to make payments and fall victim to attacks primarily aimed at exploiting personal and technical data.
The following information regarding top vulnerabilities is based on data collected by the Check Point Intrusion Prevention System (IPS) sensor net in 2023.
Newly identified vulnerabilities reported in 2023 were almost immediately utilized and implemented by threat actors. Attacks involving CVEs reported in 2022 account for 17% of all detected assaults, suggesting that threat actors are expediting the integration of new vulnerabilities into frequently employed attacks. To put this into perspective, 28% of attacks in the first half of 2023 leveraged new vulnerabilities (starting from 2021), compared to 20% in the first half of 2022 and 17% in the first half of 2021.