Research

Ransomware Expected to Increase 150% This Year

• By David Nagel
• 10/01/21

Ransomware and fileless malware are both seeing large surges this year. According to the newly released Q2 2021 Internet Security Report from WatchGuard Technologies, in the first six months of 2021, ransomware attacks were already at nearly the total volume for all of the previous year and are on target to see a 150 percent increase by the end of the year. According to WatchGuard: "While total ransomware detections on the endpoint were on a downward trajectory from 2018 through 2020, that trend broke in the first half of 2021, as the six-month total finished just shy of the full-year total for 2020. If daily ransomware detections remain flat through the rest of 2021, this year’s volume will reach an increase of over 150 percent compared to 2020."

Fileless malware — malware originating from scripting engines, such as PowerShell — is increasing at an even greater pace and is on track to double 2020's total this year. AMSI.Disable.A is one such malware type that's on the rise. According to WatchGuard: "AMSI.Disable.A showed up in WatchGuard’s top malware section for the first time in Q1 and immediately shot up for this quarter, hitting the list at No. 2 overall by volume and snagging the No. 1 spot for overall encrypted threats. This malware family uses PowerShell tools to exploit various vulnerabilities in Windows. But what makes it especially interesting is its evasive technique. WatchGuard found that AMSI.Disable.A wields code capable of disabling the Antimalware Scan Interface (AMSI) in PowerShell, allowing it to bypass script security checks with its malware payload undetected."

Other findings from the report include:

• A massive 91.5 percent of all malware arrived over encrypted connection. "Put simply, any organization that is not examining encrypted HTTPS traffic at the perimeter is missing 9/10 of all malware," according to WatchGuard.

• Network attacks rose 22 percent in the quarter, reaching the highest level sine 2018. "Q1 saw nearly 4.1 million network attacks. In the quarter that followed, that number jumped by another million – charting an aggressive course that highlights the growing importance of maintaining perimeter security alongside user-focused protections."

• Microsoft Office continues to be a popular attack vector. WatchGuard reported a new 2017 RCE vulnerability that debuted in the second quarter as the No. 1 network attack. "Though it may be an old exploit and patched in most systems (hopefully), those that have yet to patch are in for a rude awakening if an attacker is able to get to it before they do."

• Aside from the 2017 RCE vulnerability, two other top-10 network attacks exploited old vulnerabilities, according to the report: a "2011 Oracle GlassFish Server vulnerability [and] a 2013 SQL injection flaw in medical records application OpenEMR…."

The report was based on "anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. In Q2, WatchGuard blocked a total of more than 16.6 million malware variants (438 per device) and nearly 5.2 million network threats (137 per device)."

The complete Q2 2021 Internet Security Report is available on Watchguard's site (registration required).