The trend sees an increase in ransomware affecting endpoints, while there is a decrease in malware detected on the network. This is the data from the WatchGuard Threat Lab report. The Internet Security Report details the top malware trends. In addition to network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q4 2022. Key findings show a decrease in malware detected on the network and an increase in 627% of ransomware affecting endpoints. While malware associated with phishing campaigns continues to pose a persistent threat.
Ransomware affecting endpoints
Further analysis by researchers looking at WatchGuard Firebox appliances that decrypt HTTPS (TLS/SSL) traffic reveals an increased incidence of malware. Which indicates that the malware’s activity has moved to encrypted traffic. Since only 20% of the Fireboxes providing data for this report have decryption enabled, this indicates that the vast majority of malware goes undetected. Encrypted malware activity has also been a recurring theme in other recent reports from the WatchGuard Threat Lab.
A worrying trend
Corey Nachreiner, Chief Security Officer di WatchGuard
A continuing and worrying trend to emerge from our data shows that encryption is hiding the complete picture of malware attack trends. It is imperative for security professionals to enable HTTPS inspection. This ensures that these threats are identified and addressed before they can do any harm.
More findings from the Q4 2022 Internet Security Report
The detections of ransomware on endpoints increased by 627%. This peak highlights the need for ransomware defenses such as modern security controls for proactive prevention. As well as good disaster recovery and business continuity (backup) plans.
93% of malware hides behind encryption. Research indicates that most malware hides in the SSL/TLS encryption used by secure websites. The fourth quarter shows a continuation of this trend, with an increase from 82% to 93%.
Network malware detections decreased approximately 9.2% during the fourth quarter (QoQ). This indicates a continued overall decline in malware detections over the past two quarters. When considering encrypted web traffic, detected malware is higher. The WatchGuard Threat Lab team believes this declining trend does not paint the full picture and needs more data leveraging HTTPS inspection to confirm this view.
Ransomware affecting endpoints is on the rise
Endpoint malware detections increased by 22%. While network malware detections decreased, endpoint detection increased in Q4. This supports the WatchGuard Threat Lab team’s hypothesis that malware travels over encrypted channels. On the endpoint, TLS encryption is less important. Because a browser decrypts it for the Threat Lab’s endpoint software to see. Of the top attack vectors, most of the detections were associated with scripts. In browser malware detections, threat actors targeted Internet Explorer the most, followed by Firefox.
Zero day or evasive malware dropped to 43% in unencrypted traffic. While it still represents a significant percentage of overall malware detections, it’s the lowest the Threat Lab team has recorded in recent years. That said, the story changes completely when you look at TLS connections. 70% of malware on encrypted connections evade signatures.
Phishing campaigns have increased. Three of the malware variants in the report’s top 10 list are used in various phishing campaigns. The most detected malware family, JS.A gent.UNS, contains malicious HTML code that directs users to seemingly legitimate domains masquerading as well-known websites. Another variant, Agent.GBPM, creates a SharePoint phishing page named “PDF Salary_Increase”.
The latest new variant in the top 10, HTML.Agent.WR, opens a fake DHL notification page in French with a login link leading to a known phishing domain. Phishing and business email compromise (BEC) remain a major attack vector. So to defend yourself you need to make sure you have effective preventative defenses and security awareness training programs in place.
ProxyLogin exploits continue to grow. An exploit for this known critical Exchange issue dropped from eighth place in Q3 to fourth place in Q4. It should have been fixed with patches long ago. If not, security professionals need to know that attackers are targeting it. Old vulnerabilities can be as useful to attackers as new ones if they are capable of compromising a network or system. Many attackers continue to target Microsoft Exchange servers or management systems. Organizations need to be aware of and know where to direct their efforts to defend these areas.
The report and the ransomware affecting the endpoints
The volume of network attacks is stable quarter over quarter. Technically, it’s increased by 35 hits, which is only a 0.0015% increase. The slight variation is noticeable. As the next smallest change was 91,885 from Q1 to Q2 of 2020.
LockBit remains a prevalent ransomware group (and malware variant). The Threat Lab team continues to detect LockBit variants frequently. This group appears to be the most successful at hacking companies with ransomware. Though down from the previous quarter, LockBit had the highest number of public extortion victims. Also in the fourth quarter, the Threat Lab team detected 31 new ransomware and extortion groups.
Where does the report data come from
WatchGuard’s quarterly reports are based on anonymised data from Firebox Feeds of active WatchGuard appliances. Owners agreed to share data to support Threat Lab’s research efforts. In Q4, WatchGuard blocked a total of over 15.7 million malware variants (194 per device) and over 2.3 million threats network (28 per device). The comprehensive report includes details on other malware and trends seen in Q4 2022. As well as recommended security strategies, critical defense tips for businesses of all sizes and in any industry.