Australia tops ransomware target list for the first time

Bitdefender’s November Threat Debrief has been released, including a ransomware report. Part of a monthly series, the report analyses threat news, trends and research including top detected ransomware families and affected countries.

Ransomware report

Spear phishing attacks are often used as an initial attack vector, and ransomware infection is often the final stage of the kill chain. For this report, Bitdefender analysed malware detections collected in October 2022 from its static anti-malware engines*. Opportunistic adversaries and some ransomware-as-a-service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer volume over higher value.

Top 10 ransomware families

Malware detections from 1 October to 30 October were analysed and 189 families were identified in total. The number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries. WannaCry, GandCrab and Cerber were the top ransomware families detected, accounting for 74% collectively, with REvil/Sodinokibi also making an appearance.

Top 10 ransomware families.

Top 10 countries

Ransomware from 150 countries was detected in the dataset, with this type of threat continuing to touch almost the entire world. Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections. Australia was joint eighth on the list detected, accounting for 5%, while the United States, Brazil and Iran were the top three accounting for a collective 52%.

Top 10 ransomware countries.

Android trojans

Below are the top trojans targeting Android seen in Bitdefender’s telemetry during October 2022.

• Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
• SMSSend.AYE – Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user’s incoming and outgoing messages and forwards them to a Command & Control (C&C) server.
• Banker.ACI, ACT, ACK – Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express ...). Once installed, it locates banking applications on the device and tries downloading a trojanised version from the C&C server.
• HiddenApp.AID – Aggressive adware that impersonates AdBlock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.
• Triada.LC – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload which the malware downloads and executes.
• Banker.XJ – Applications that drop and install encrypted modules. This trojan grants device admin privileges and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive, command and upload sensitive information.
• Agent.AQQ – A dropper malware is a trojan that hides the dangerous payload inside an app as an evasion technique. If it can avoid security defences, this payload is deployed. The malicious payload is decrypted and loaded by the dropper.
• SpyAgent.EM – Applications that exfiltrate sensitive data like SMS messages, call logs, contacts or GPS location.

Top 10 Android trojans.

Homograph phishing report

Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about the ‘target’ of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in a previous report.

myetherwallet.com, facebook.com, and paypal.com topped out the ‘top 10 spoofed domains’ in October, with google.com and hotmail.com also featuring.

^{*The Ransomware Report only counts total cases; not how monetarily significant the impact of infection is. When looking at this data, remember these are ransomware detections, not infections.}

Image credit: iStock.com/WhataWin