top of page

WatchGuard: 89% Surge in Endpoint Ransomware Attacks and Decline in Encrypted Malware

WatchGuard Technologies has released its latest Internet Security Report, providing valuable insights into the ever-evolving world of cyber threats. The report, compiled by WatchGuard Threat Lab researchers, sheds light on the increasing abuse of remote access software, the rise of password and information stealers, and the shift towards alternative techniques by threat actors.

Corey Nachreiner, the Chief Security Officer at WatchGuard, stressed the importance of staying informed about the latest tactics used by cyber adversaries. “Modern security platforms that include firewalls and endpoint protection software can deliver enhanced protection for networks and devices. But when it comes to attacks that employ social engineering tactics, the end user becomes the last line of defense between malicious actors and their success in infiltrating an organization. It’s important for organizations to provide social engineering education as well as adopt a unified security approach that provides layers of defense, which can be administered effectively by managed service providers.” 

Key findings from WatchGuard's report for Q3 2023 include:

1. Remote Access Software Abuse: Threat actors are increasingly leveraging remote management tools and software to evade anti-malware detection. Researchers identified a tech support scam that led victims to download an unauthorized version of TeamViewer, granting attackers full remote access to their computers.

2. Medusa Ransomware Surges: The Medusa ransomware variant experienced significant growth in Q3, contributing to an 89% increase in endpoint ransomware attacks. Medusa's generic signature detection was a notable factor in the rise.

3. Shift Away from Script-Based Attacks: The report highlighted a decrease of 11% in script-based attacks in Q3. However, scripting attacks remained the most prevalent, accounting for 56% of total attacks. The use of Windows living-off-the-land binaries increased by 32%, suggesting threat actors' adaptability in response to enhanced protection around scripting.

4. Encrypted Malware Decline: Malware arriving via encrypted connections decreased to 48% in Q3, signaling a significant drop from previous quarters. Nevertheless, total malware detections increased by 14%.

5. Email-Based Dropper Families: An email-based dropper family responsible for delivering malicious payloads featured prominently, comprising four of the top five encrypted malware detections in Q3. These droppers often masquerade as attachments in spear-phishing emails, tricking end-users into downloading malware.

6. Emergence of Commoditized Malware: A new malware family, Lazy.360502, made it to the Top 10 list, delivering adware and the Vidar password stealer. This highlights the trend of commoditized malware being used for cybercriminal activities.

7. Network Attacks Surge: Network attacks increased by 16% in Q3, with ProxyLogon ranking as the number-one vulnerability targeted, constituting 10% of all network detections.

8. New Signatures in Network Attacks: Three new signatures appeared in the Top 50 network attacks, including vulnerabilities in PHP Common Gateway Interface Apache (2012), Microsoft .NET Framework 2.0 (2016), and Drupal (2014), exposing potential vulnerabilities in these platforms.

The data analyzed in WatchGuard's quarterly report is based on anonymized, aggregated threat intelligence from active WatchGuard network and endpoint products. Users who have opted to share their data have contributed to WatchGuard's ongoing research efforts.

As the cybersecurity landscape continues to evolve, organizations are urged to remain vigilant and proactive in their security strategies. WatchGuard's report serves as a valuable resource for understanding current threats and developing robust defenses against cyber adversaries.


bottom of page