• United States



Reduce, reuse, recycle: Bad actors practicing the three Rs

Mar 15, 20235 mins

istock 1460185885
Credit: iStock

Malware has a way of grabbing all the attention in the media and keeping companies on their toes. The world watched as wipers were deployed to Ukrainian organizations after the Russian invasion of Ukraine, which marked the beginning of a time of instability that included ransomware and InfoStealers, as well. Adding to the negative cybersecurity load of 2022, the contemporary version of ransomware celebrated its 10-year anniversary.

And if that weren’t enough, our FortiGuard Labs researchers have seen that cybercriminals – like any sensible businessperson – are big proponents of getting the most out of their resources. You might say they’re practicing the reduce, reuse, recycle principles, but instead of being focused on environmental concerns, they’re retrofitting code to enable more successful criminal outcomes. 

Everything old is new again

Apparently, it’s not just diamonds that are forever – so are certain strands of malware. In the second half of 2022, our researchers saw the resurgence of familiar names in the malware, wiper and botnet space – including Emotet and GandCrab, to name a few. The top five ransomware families, out of a total of 99 detected, accounted for about 37% of all ransomware activity in the second half of 2022. The most prominent malware was GandCrab, a RaaS threat that surfaced in 2018.

FortiGuard Labs also investigated a group of Emotet variations to assess their propensity for borrowing and recycling code. According to the research, Emotet has undergone significant diversification, with variants dividing into about six different “species” of malware. Not content to simply automate threats, cyber-attackers aggressively improve upon successful innovations.

Cyber adversaries have an entrepreneurial spirit and are constantly seeking for ways to increase the value of current investments and knowledge in attack operations to increase their effectiveness and profitability. Reusing code allows hackers to build on previously successful results while iteratively improving their attacks and getting past defensive barriers. In fact, in our analysis of the most common malware for the second half of 2022, we saw that the bulk of the top ranks were occupied by malware that was more than a year old. Some of them – like Lazurus – have existed for more than 10 years and are pillars of the history of the internet. 

Resurrecting old tactics

Along with reusing code, attackers are maximizing opportunities by using well-known threats and existing infrastructure. For instance, if we look at botnet threats by pervasiveness, many of the top botnets aren’t novel. Mirai and Gh0st.Rat have continued to dominate across all geographies, which isn’t surprising. Among the top five observed botnets, only RotaJakiro was created in the last couple of years. Although there’s a tendency to disregard more recent risks as history, businesses in all industries must maintain their vigilance.

Such “vintage” botnets remain in wide circulation because they continue to be highly effective. Because there is a return on investment, clever hackers will continue to exploit current botnet infrastructure and transform it into increasingly persistent versions using highly specialized techniques. In particular, the manufacturing sector, Managed Security Service Providers (MSSP), and the telco/carrier sector were all major targets of Mirai in the second half of 2022. This demonstrates an intensive effort of criminals to target those sectors with tried-and-true techniques.

Getting ahead of the game

It can be difficult for enterprises to keep up with constantly changing threats. The reuse of code and modularization made possible by a burgeoning Crime-as-a-Service ecosystem underscores the value of prompt security services that can help enterprises fend off threats with AI-powered, coordinated defense. Moreover, companies can achieve quicker detection and enforcement across the full attack surface if there is integration across all security devices, thereby lowering their overall risk posture.

Beyond technology, cybersecurity strategy really comes down to people.

It takes a global team effort with robust, trustworthy relationships and collaboration among cybersecurity participants across public and commercial organizations and sectors to successfully disrupt cybercriminal supply chains.

Cyber awareness and hygiene training must be a cornerstone of any company – this must extend to all employees, not just those in IT or security functions. An estimated 80% of organizations reported last year that they’d suffered one or more breaches due to a lack of cybersecurity skills and awareness.

Prepare for what’s next

The latter half of 2022 was interesting, to say the least. Understanding the trends from this period will help you better understand how to keep your companies operating safely. According to what we have observed over the past six months, we cannot dismiss older threats. They are still actively evolving and searching for both unpatched places and fresh vulnerabilities that will enable them to spread. Companies that use the above information and best practices will be better prepared to face what’s next on the threat horizon.

Learn more about latest cyber threat trends in the semiannual Global Threat Landscape Report from FortiGuard Labs.