Q3 Malware Trends: Ransomware extorts education, Emotet and crypto mining malware evolve, and Android malware persists

Executive Summary

In the third quarter of 2020, Recorded Future observed major expansions in the tactics, techniques, and procedures (TTPs) of prominent ransomware operators, including the targeting of educational institutions and a continued increase in new ransomware operators using extortion tactics. Between July and October 2020, we identified the development of five new ransomware extortion websites. In addition, we identified a large spike in activity from NetWalker and a decline in Sodinokibi activity over the quarter.

Major trends within the desktop malware threat landscape included a resurgence of the prolific Emotet malware and a shift in the development in cryptocurrency mining malware. Emotet, a trojan malware that has infected targets worldwide, paused activity throughout Q2 but resurfaced in July to target organizations including state and local governments in the United States. And developers of cryptocurrency mining malware are adding additional features, other than simply mining cryptocurrency, to further infections.

Lastly, Android malware dominated the mobile threat landscape again this quarter, with mobile malware such as SpyNote resurfacing and references to Cerberus Banking Trojan spiking in association with the leak of the malware’s source code.

Key Judgments

• More threat actors will very likely adopt the ransomware extortion model as long as it remains profitable.
• Educational institutions continue to be a prime target for ransomware operators. We believe that disruptions caused by the COVID-19 pandemic have made the networks of universities and school districts attractive targets because these organizations feel increased pressure to stay operational with minimal disruptions and are therefore more likely to pay ransoms quickly.
• Reports of NetWalker attacks increased, and reports of Sodinokibi attacks decreased. However, it is possible that victims of Sodinokibi attacks are simply paying the ransom more often. Based on activity on underground forums, we suspect that the operators of Sodinokibi are continuing to expand their operations.
• While we expect Emotet’s operators to continue to employ major pauses, it is highly likely that Emotet will continue to be a major threat and impact organizations across a variety of industries throughout the end of the year and into 2021.
• In Q3 2020, threat actors have increasingly augmented their cryptocurrency mining malware by adding functionalities such as credential stealing or access capabilities. Assuming this trend continues, it is likely to result in malware that can cause more extensive damage to organizational systems than “traditional” cryptocurrency mining malware.
• It is very likely that threat actors will continue to use Android malware to target users into Q4 2020 based on the widespread use of Android OS devices and the dynamic tool sets distributed within the malware. In addition to general Android malware, banking and financial institutions will likely see a spike in fraud attempts as a result of the Cerberus Banking Trojan source code being released.