Q4 Malware Trends: Year Punctuated by Ransomware and Data Breaches Concludes With Sophisticated SolarWinds Attack
This report continues our quarterly series analyzing trends in malware use, distribution, and development throughout 2020. Insikt Group used the Recorded Future® Platform to look at mainstream news, security vendor reporting, technical reporting around malware, vulnerabilities, security breaches, and dark web and underground forums from October 1 to December 31, 2020, to examine major trends to malware impacting desktop systems and mobile devices. The trends outlined below illustrate the tactics, techniques, and procedures (TTPs) that had a major impact on technology. This report will assist threat hunters and security operations center (SOC) teams in strengthening their security posture by prioritizing hunting techniques and detection methods based on this research and data.
In Q4 2020, ransomware operators continued to have an opportunistic mindset when conducting campaigns, putting more emphasis on data theft extortion to increase their chances of profitability. There was an increase in Egregor activity throughout the quarter, likely due to Maze ransomware operators shutting down. There was also an increase in Conti ransomware as use of Ryuk, a persistent ransomware family throughout the year, plateaued.
Arguably the most significant malware attack of 2020 was disclosed to the public in this period: the SolarWinds supply chain attack. This attack was significant due to the sophistication of the attack along with the volume of prominent organizations impacted, including United States government entities, along with several prominent technology companies and cybersecurity organizations. As this attack is still being investigated, it is likely that there will be more details released associated with victims targeted and infrastructure used.
Trickbot, a malware family that has been persistent and prominent throughout the year, went through notable changes in Q4 2020, as multiple organizations worked together to take down the malware’s infrastructure before the November 2020 U.S. presidential election. While these efforts temporarily reduced Trickbot activity, the use of QakBot, a discrete loader malware, began to increase, likely as threat actors shifted away from Trickbot.
Lastly, Android malware continued to dominate the mobile malware landscape this quarter, with two new mobile malware variants emerging. While COVID-19-themed mobile malware activity dipped in Q3 after a high during the first half of the year, Insikt Group observed a resurgence of activity in Q4. This was especially true as virus cases increased and digital assets (websites, mobile applications, and so on) regarding the COVID-19 vaccine were released.