Australia tops ransomware target list for the first time


Monday, 05 December, 2022
Australia tops ransomware target list for the first time

Bitdefender’s November Threat Debrief has been released, including a ransomware report. Part of a monthly series, the report analyses threat news, trends and research including top detected ransomware families and affected countries.

Ransomware report

Spear phishing attacks are often used as an initial attack vector, and ransomware infection is often the final stage of the kill chain. For this report, Bitdefender analysed malware detections collected in October 2022 from its static anti-malware engines*. Opportunistic adversaries and some ransomware-as-a-service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer volume over higher value.

Top 10 ransomware families

Malware detections from 1 October to 30 October were analysed and 189 families were identified in total. The number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries. WannaCry, GandCrab and Cerber were the top ransomware families detected, accounting for 74% collectively, with REvil/Sodinokibi also making an appearance.

Top 10 ransomware families.

Top 10 countries

Ransomware from 150 countries was detected in the dataset, with this type of threat continuing to touch almost the entire world. Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections. Australia was joint eighth on the list detected, accounting for 5%, while the United States, Brazil and Iran were the top three accounting for a collective 52%.

Top 10 ransomware countries.

Android trojans

Below are the top trojans targeting Android seen in Bitdefender’s telemetry during October 2022.

  • Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
  • SMSSend.AYE – Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user’s incoming and outgoing messages and forwards them to a Command & Control (C&C) server.
  • Banker.ACI, ACT, ACK – Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express ...). Once installed, it locates banking applications on the device and tries downloading a trojanised version from the C&C server.
  • HiddenApp.AID – Aggressive adware that impersonates AdBlock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.
  • Triada.LC – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload which the malware downloads and executes.
  • Banker.XJ – Applications that drop and install encrypted modules. This trojan grants device admin privileges and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive, command and upload sensitive information.
  • Agent.AQQ – A dropper malware is a trojan that hides the dangerous payload inside an app as an evasion technique. If it can avoid security defences, this payload is deployed. The malicious payload is decrypted and loaded by the dropper.
  • SpyAgent.EM – Applications that exfiltrate sensitive data like SMS messages, call logs, contacts or GPS location.

Top 10 Android trojans.

Homograph phishing report

Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about the ‘target’ of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in a previous report.

myetherwallet.com, facebook.com, and paypal.com topped out the ‘top 10 spoofed domains’ in October, with google.com and hotmail.com also featuring.

*The Ransomware Report only counts total cases; not how monetarily significant the impact of infection is. When looking at this data, remember these are ransomware detections, not infections.

Image credit: iStock.com/WhataWin

Related News

IMT sector was Australia's most targeted in 2023: report

The information, media and technology sector has been the Australian industry most targeted...

ISACA identifies gaps in AI knowledge, training and policies

85% of digital trust professionals say they will need to increase their AI skills and knowledge...

VNC accounts for nearly all remote desktop attacks

Virtual Network Computing accounted for 98% of remote desktop attacks recorded by Barracuda last...

Content from other channels on our network

Designing safer, higher-performance lithium batteries

Bacteria 'nanowires' could help develop green electronics

A new class of silicon systems for AI connected devices

AI chips could get a sense of time

Expanding on the principles of fluid dynamics

How to rewire onsite safety for electrical workers

Redback Technologies returns following voluntary administration

Electric school buses: healthier and more cost-effective?

Govt expands energy apprenticeships program

Siemens to support Gippsland's energy transition

How advanced comms give militaries an edge in the modern battlefield

Improving Mobile Coverage Round cleared by Audit Office

Sphere Drones granted BVLOS area approval

ARCIA update: lessons from the USA and more

Hytera celebrates 10th anniversary of its UAE subsidiary

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd