Surge in endpoint ransomware, decline in network-detected malware

Research indicates that encrypted connections have become the preferred method for malware delivery, putting organisations that don’t decrypt traffic at higher risk.

  • Thursday, 30th March 2023 Posted 1 year ago in by Phil Alsop

WatchGuard® Technologies has released findings from its most recent Internet Security Report, detailing the top malware trends and network and endpoint security threats analysed by WatchGuard Threat Lab researchers in Q4 2022. While key findings from the data showed declines in network-detected malware, endpoint ransomware increased a startling 627%, and malware associated with phishing campaigns continued to be a persistent threat.

 

Despite seeing an overall decline in malware, further analysis from WatchGuard Threat Lab researchers looking at Fireboxes that decrypt HTTPS (TLS/SSL) traffic found a higher incidence of malware, indicating malware activity has shifted to encrypted traffic. Since just ~20% of Fireboxes that provide data for this report have decryption enabled, this indicates that the vast majority of malware is going undetected. Encrypted malware activity has been a recurring theme in recent Threat Lab reports.

 

“A continuing and concerning trend in our data and research shows that encryption – or, more accurately, the lack of decryption at the network perimeter – is hiding the full picture of malware attack trends,” said Corey Nachreiner, chief security officer at WatchGuard. “It is critical for security professionals to enable HTTPS inspection to ensure these threats are identified and addressed before they can do damage.”

 

Other key findings from the Q4 Internet Security Report include:

 

•       Endpoint ransomware detections rose 627%. This spike highlights the need for ransomware defenses such as modern security controls for proactive prevention, as well as good disaster recovery and business continuity (backup) plans. 

 

•       93% of malware hides behind encryption. Threat Lab research continues to indicate that most malware hides in the SSL/TLS encryption used by secured websites. Q4 continues that trend with a rise from 82% to 93%. Security professionals that don’t inspect this traffic are likely missing most malware and placing a greater onus on endpoint security to catch it.

 

•       Network-based malware detections dropped approximately 9.2% percent quarter over quarter during Q4. This continues a general decline in malware detections over the last two quarters. But as mentioned, when considering encrypted web traffic, malware is up. The Threat Lab team believes this decline trend may not illustrate the full picture and needs more data that leverages HTTPS inspection to confirm this contention.

 

•       Endpoint malware detections increased 22%. While network malware detections fell, endpoint detection rose in Q4. This supports the Threat Lab team’s hypothesis of malware shifting to encrypted channels. At the endpoint, TLS encryption is less of a factor, as a browser decrypts it for Threat Lab’s endpoint software to see. Among the leading attack vectors, most detections were associated with Scripts, which constituted 90% of all detections. In browser malware detections, threat actors targeted Internet Explorer the most with 42% of the detections, followed by Firefox with 38%.

 

•       Zero day or evasive malware has dropped to 43% in unencrypted traffic. Though still a significant percentage of overall malware detections, it’s the lowest the Threat Lab team has seen in years. That said, the story changes completely when looking at TLS connections. 70% of malware over encrypted connections evades signatures.

 

•       Phishing campaigns have increased. Three of the malware variants seen in the report’s top 10 list (some also showing on the widespread list) assist in various phishing campaigns. The most-detected malware family, JS.A gent.UNS, contains malicious HTML that directs users to legitimate-sounding domains that masquerade as well-known websites. Another variant, Agent.GBPM, creates a SharePoint phishing page titled “PDF Salary Increase,” which attempts to access account information from users. The last new variant in the top 10, HTML.Agent.WR, opens a fake DHL notification page in French with a login link that leads to a known phishing domain. Phishing and business email compromise (BEC) remains one of the top attack vectors, so make sure you have both the right preventative defenses and security awareness training programs to defend against it.

 

•       ProxyLogin exploits continue to grow. An exploit for this well-known, critical Exchange issue rose from eighth place in Q3 to fourth place last quarter. It should be long patched, but if not, security professionals must know attackers are targeting it. Old vulnerabilities can be as useful to attackers as new ones if they’re able to achieve a compromise. Additionally, many attackers continue to target Microsoft Exchange Servers or management systems. Organisations must be aware and know where to put their efforts into defending these areas.

 

•       Network attack volume is flat quarter over quarter. Technically, it increased by 35 hits, which is just a 0.0015% increase. The slight change is remarkable, as the next smallest change was 91,885 from Q1 to Q2 2020.

 

•       LockBit remains a prevalent ransomware group and malware variant. The Threat Lab team continues to see LockBit variants often, as this group appears to have the most success breaching companies (through their affiliates) with ransomware. While down from the previous quarter, LockBit again had the most public extortion victims, with 149 tracked by the WatchGuard Threat Lab (compared to 200 in Q3). Also in Q4, the Threat Lab team detected 31 new ransomware and extortion groups.