During 2021, global cyber attacks against corporate networks has increased by 50%, in comparison to 2020. The “Education/Research” category leads as the most targeted sector, with an average of 1,605 attacks per organization every week (75% increase), while the “Software Vendor” category shows the largest year-on-year growth, with an increase of 146%. The rise in attacks against software vendors goes hand-in-hand with the ever-growing trend of software supply chain attacks observed during 2021.
The charts above indicate that the email attack vector has steadily established itself as a favorite, compared to slowly diminishing use of websites to distribute malware payloads since the beginning of 2020.
Whether used in a targeted attack, or as part of an opportunistic campaign by a novice attacker, email-based attacks allow for the easy distribution of malware to a wide array of targets and corporations.
One of the reasons for this rise in email-based attacks is the massive number of high-profile campaigns sponsored and run by large crime groups, who distribute the most prominent malware families today, such as TrickBot, Dridex, Qbot, IcedID, or Emotet.
Once these gangs realized the effectiveness of spam campaigns with malicious Office document attachments, they used it almost exclusively as their main infection vector into new networks.
Data comparisons presented in the following sections of this report are based on data drawn from the Check Point ThreatCloud Cyber Threat Map between January and December 2021. For each of the regions below, we present the most prevalent malware.
Some noticeable changes since our last yearly global malware ranking, are that RigEK (Exploit Kit) and LokiBot infostealer are no longer present in our top 10, replaced by Glupteba botnet and Remcos RAT.
Trickbot rose to the top of the chart in February, replacing Emotet, and kept this ranking for the rest of 2021. TrickBot is a modular Botnet and Banking Trojan that targets the Windows operating system. It is credited with Emotet’s revival in November 2021 as it was found distributing its fellow malware. TrickBot is constantly being updated with enhanced capabilities, features and distribution vectors, making it a flexible and customizable malware that can be distributed as part of multi-purpose campaigns. It served as a popular means for initial access in targeted attacks followed by malware such as Ryuk, Conti or Bazar. Despite TrickBot’s brief takedown in October 2020, it remained prominent in our top malware charts throughout 2021, and was involved in one of the most serious ransomware attacks the year, a Conti ransomware attack on Ireland’s Health Service Executive.
Phorpiex is a botnet which at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam, sextortion campaigns or ransomware spread. Phorpiex, which hit its low mid-year, ended up with a higher ranking by the end of 2021 than it had a year ago. In December, Check Point Research spotted Phorpiex’s resurgence with a brand-new variant called “Twizt”, which enabled it to operate in peer-to-peer mode without active C&C servers. In one year, Phorpiex bots successfully hijacked 969 transactions and stole 3.64 Bitcoin, 55.87 Ether, and US$ 55,000 in ERC20 tokens accounting for almost half a million US dollars.