2022 set to break records for ransomware detections following 'massive explosion' in Q1 - WatchGuard
The latest quarterly Internet Security Report from the WatchGuard Threat Lab showed detections in Q1 was double that of the whole of 2021
The number of ransomware detections in the first quarter of 2022 was double that of the total volume recorded during the whole of the previous year, according to new research from cybersecurity vendor WatchGuard.
The latest quarterly Internet Security Report from the WatchGuard Threat Lab showed that in Q1, WatchGuard blocked a total of more than 21.5 million malware variants (274 per device) and nearly 4.7 million network threats (60 per device).
That's despite Threat Lab's Q4 2021 report showing that ransomware attacks were trending downwards year-on-year.
EMEA was particularly badly hit, with overall regional detections of basic and evasive malware showing that WatchGuard Fireboxes in the region were more impacted than those in North, Central and South America (AMER) at 57 per cent and 22 per cent, respectively, followed by Asia-Pacific (APAC) at 21 per cent.
"Based on the early spike in ransomware this year and data from previous quarters, we predict 2022 will break our record for annual ransomware detections," said Corey Nachreiner, chief security officer at WatchGuard.
"We continue to urge companies to not only commit to implementing simple but critically important measures but also to adopt a true unified security approach that can adapt quickly and efficiently to growing and evolving threats."
What caused the rise?
WatchGuard analysis shows that despite the demise of the infamous REvil group, which was responsible for the attack on IT management software firm Kaseya last year, other groups such as LAPSUS$ and new ransomware variants such as BlackCat have been active.
Among the biggest factors behind the increase was the rise in attacks using the Log4Shell signature, which nearly tripled in the first quarter of this year, WatchGuard says.
This was highlighted as the top security incident in WatchGuard's previous Internet Security Report and ranked as a 10.0 on Common Vulnerability Scoring System (CVSS), the maximum possible criticality for a vulnerability because of its widespread use in Java programs and the level of ease in arbitrary code execution.
Emotet attacks also continued to increase, accounting for three of the top ten detections and ranking as the top widespread malware in the report.
Detections of Trojan.Vita, which heavily targeted Japan and appeared in the top five encrypted malware list, and Trojan.Valyria, both use exploits in Microsoft Office to download the botnet Emotet. The third malware sample related to Emotet, MSIL.Mensa.4, can spread over connected storage devices and mostly targeted networks in the US.
Moreover, overall endpoint detections for Q1 were up by around 38 per cent from the previous quarter with scripts, specifically PowerShell scripts, proving to be the dominant attack vector.
Accounting for 88 per cent of all detections, WatchGuard claims that scripts "single-handedly pushed the number of overall endpoint detections clear past the figure reported for the previous quarter", with PowerShell scripts responsible for 99.6 per cent of script detections in Q1.
Finally, all three of the new additions to the top malware domains list in Q1 were related to Nanopool - a popular platform which aggregates cryptocurrency mining activity to enable steady returns.