• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 

China-linked group Salt Typhoon breached satellite firm Viasat

 | 

Iran experienced a near-total national internet blackout

 | 

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

 | 

Healthcare services company Episource data breach impacts 5.4 Million people

 | 

Watch out, Veeam fixed a new critical bug in Backup & Replication product

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Hacking
  • Malware
  • Reports
  • Security
  • Ransomware en masse on the wane: top threats inside web-phishing in H1 2020

Ransomware en masse on the wane: top threats inside web-phishing in H1 2020

Pierluigi Paganini September 18, 2020

Web-phishing targeting various online services almost doubled during the COVID-19 pandemic, it accounted for 46 percent of the total number of fake web pages.

Singapore, 09/18/2020 — Group-IB, a global threat hunting and intelligence company headquartered in Singapore, evidenced the transformation of the threat portfolio over the first half of 2020. It came as no surprise that web-phishing targeting various online services almost doubled during the COVID-19 pandemic: it accounted for 46 percent of the total number of fake web pages. Ransomware, the headliner of the previous half-year, walked off stage: only 1 percent of emails analyzed by Group-IB’s Computer Emergency Response Team (CERT-GIB) contained this kind of malware. Every third email, meanwhile, contained spyware, which is used by threat actors to steal payment data or other sensitive info to then put it on sale in the darknet or blackmail its owner.

Downloaders, intended for the installation of additional malware,and backdoors, granting cybercriminals remote access to victims’ computers, also made it to top-3. They are followed by banking Trojans, whose share in the total amount of malicious attachments showed growth for the first time in a while.

Opened email lets spy in

CERT-GIB’s report is based on data collected and analyzed by the Threat Detection System (TDS) Polygon as part of operations to prevent and detect threats distributed online in H1 2020. According to the data of CERT-GIB, in H1 2020, 43 percent of the malicious mails on the radars of Group-IB Threat Detection System had attachments with spyware or links leading to their downloading. Another 17 percent contained downloaders, while backdoors and banking Trojans came third with a 16- and 15-percent shares, respectively. Ransomware, which in the second half of 2019 hid in every second malicious email, almost disappeared from the mailboxes in the first six months of this year with a share of less than 1 percent.  

These findings confirm adversaries’ growing interest in Big Game Hunting.  According to Group-IB’s recent white paper “Ransomware Uncovered: Attackers’ Latest Methods”: ransomware operators have switched from attacks en masse on individuals to corporate networks. Thus, when attacking large companies, instead of infecting the computer of a separate individual immediately after the compromise, attackers use the infected machine to move laterally in the network, escalate the privileges in the system and distribute ransomware on as many hosts as possible.

Top-10 tools used in attacks tracked by CERT-GIB in the reporting period were banking Trojan RTM (30%); spyware LOKI PWS (24%), AgentTesla (10%), Hawkeye (5%), and Azorult (1%); and backdoors Formbook (12%), Nanocore (7%), Adwind (3%), Emotet (1%), and Netwire (1%). The new instruments detected in the first half of the year included Quasar, a remote access tool based on the open source; spyware Gomorrah that extracts login credentials of users from various applications; and 404 Keylogger, a software for harvesting user data that is distributed under malware-as-a-service model.

Almost 70 percent of malicious files were delivered to the victim’s computer with the help of archives, another 18% percent of malicious files were masked as office documents (with .doc, .xls and .pdf file extensions), while 14% more were disguised as executable files and scripts.

phishing ransomware report

Secure web-phishing

In the first six months of 2020, CERT-GIB blocked a total of 9 304 phishing web resources, which is an increase of 9 percent compared to the previous year. The main trend of the observed period was the two-fold surge in the number of resources using safe SSL/TLS connection – their amount grew from 33 percent to 69 percent in just half a year.

This is explained by the cybercriminals’ desire to retain their victim pool – the majority of web browsers label websites without SSL/TLS connection as a priori dangerous, which has a negative impact on the effectiveness of phishing campaigns. Group-IB experts predict that the share of web-phishing with insecure connection will continue to decrease, while websites that do not support SSL/TLS will become an exception.

Pandemic chronicle

Just as it was the case in the second half of 2019, in the first half of this year, online services like ecommerce websites turned out to be the main target of web-phishers. In the light of global pandemic and the businesses’ dive into online world, the share of this phishing category increased to remarkable 46 percent. The attractiveness of online services is explained by the fact that by stealing user login credentials, threat actors also gain access to the data of bank cards linked to user accounts.

Online services are followed by email service providers (24%), whose share, after a decline in 2019, resumed growth in 2020, and financial organizations (11%). Main web-phishing target categories also included payment services, cloud storages, social networks, and dating websites.

The leadership in terms of the number of phishing resources registered has persistently been held by .com domain zone – it accounts for nearly a half (44%) of detected phishing resources in the review period. Other domain zones popular among the phishers included .ru (9%), .br (6%), .net (3%) and .org (2%).

phishing ransomware report

 “The beginning of this year was marked by changes in the top of urgent threats that are hiding in malicious emails, — comments CERT-GIB deputy head Yaroslav Kargalev.—Ransomware operators have focused on targeted attacks,choosing large victims with a higher payment capacity. The precise elaboration of these separate attacks affected the ransomware share in the top threats distributed via email en masse. Their place was taken by backdoors and spyware, with the help of which threat actors first steal sensitive information and then blackmail the victim, demanding a ransom, and, in case the demand is refused, releasing the info publicly. The ransomware operators’ desire to make a good score is likely to result in the increase of the number of targeted attacks. As email phishing remains the main channel of their distribution, the urgency of securing mail communication is more relevant than ever.”

About Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. Group-IB’s technological leadership is built on the company’s 17 years of hands-on experience in cybercrime investigations around the world and 60,000 hours of cyber security incident response accumulated in one of the biggest forensic laboratories and a round-the-clock center providing a rapid response to cyber incidents — CERT-GIB.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Hacking hacking news information security news IT Information Security malware phishing Pierluigi Paganini ransomware Security Affairs Security News

you might also like

Pierluigi Paganini June 24, 2025
Russia-linked APT28 use Signal chats to target Ukraine official with malware
Read more
Pierluigi Paganini June 24, 2025
China-linked APT Salt Typhoon targets Canadian Telecom companies
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Russia-linked APT28 use Signal chats to target Ukraine official with malware

    APT / June 24, 2025

    China-linked APT Salt Typhoon targets Canadian Telecom companies

    APT / June 24, 2025

    U.S. warns of incoming cyber threats following Iran airstrikes

    Cyber warfare / June 24, 2025

    McLaren Health Care data breach impacted over 743,000 people

    Data Breach / June 23, 2025

    American steel giant Nucor confirms data breach in May attack

    Data Breach / June 23, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT