Check Point Software Technologies Ltd. a leading AI-powered, cloud-delivered cyber security platform provider, has published its Global Threat Index for August 2024. The index revealed that ransomware remains a dominant force, with RansomHub sustaining its position as the top ransomware group. This Ransomware-as-a-Service (RaaS) operation has rapidly expanded since its rebranding from Knight ransomware, breaching over 210 victims worldwide. Meanwhile, Meow ransomware has emerged, shifting from encryption to selling stolen data on leak marketplaces. In India, Healthcare remained the most impacted industry last month followed by Education/Research and Government/Military. An organization in India is being attacked on average 3244 times per week in the last 6 months, compared to 1657 attacks per organization globally
Last month, RansomHub solidified its position as the top ransomware threat, as detailed in a joint advisory from the FBI, CISA, MS-ISAC, and HHS. This RaaS operation has aggressively targeted systems across Windows, macOS, Linux, and especially VMware ESXi environments, using sophisticated encryption techniques.
August also saw the rise of Meow ransomware, which secured the second spot on the top ransomware list for the first time. Originating as a variant of the leaked Conti ransomware, Meow has shifted its focus from encryption to data extraction, transforming its extortion site into a data-leak marketplace. In this model, stolen data is sold to the highest bidder, diverging from traditional ransomware extortion tactics.
“RansomHub’s emergence as the top ransomware threat in August underscores the increasing sophistication of Ransomware-as-a-Service operations,” said Maya Horowitz, VP of Research at Check Point Software. “Organizations need to be more vigilant than ever. The rise of Meow ransomware highlights the shift towards data-leak marketplaces, signaling a new method of monetization for ransomware operators, where stolen data is increasingly sold to third parties, rather than simply published online. As these threats evolve, businesses must stay alert, adopt proactive security measures, and continuously enhance their defenses against increasingly sophisticated attacks”.
Top malware families
The arrows relate to the change in rank compared to the previous month.
FakeUpdates is the most prevalent malware this month with an impact of 8% worldwide organizations, followed by Androxgh0st with a global impact of 5%, and Phorpiex with a global impact of 5%.
- FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
- Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.
- Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.
Top exploited vulnerabilities
- Command Injection Over HTTP (CVE-2021-43936,CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the effected system.
- HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-1375) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
Top Mobile Malwares
This month Joker in the 1st place in the most prevalent Mobile malware, followed by Anubis and Hydra.
- Joker – An android Spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware signs the victim silently for premium services in advertisement websites.
- Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
- Hydra– Hydra is a banking Trojan designed to steal banking credentials by requesting victims to enable dangerous permissions and access each time the enter any banking app.
Top-Attacked Industries Globally
This month Education/Research remained in the 1st place in the attacked industries globally, followed by Government/Military and Healthcare.
- Education/Research
- Government/Military
- Healthcare
Top Ransomware Groups
The data is based on insights from ransomware “shame sites” run by double-extortion ransomware groups which posted victim information. RansomHub is the most prevalent ransomware group this month, responsible for 15% of the published attacks, followed by Meow with 9% and Lockbit3 with 8%.
- RansomHub – RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cybercrime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments, employing sophisticated encryption methods.
- Meow – Meow Ransomware is a variant based on the Conti ransomware, known for encrypting a wide range of files on compromised systems and appending the “.MEOW” extension to them. It leaves a ransom note named “readme.txt,” instructing victims to contact the attackers via email or Telegram to negotiate ransom payments. Meow Ransomware spreads through various vectors, including unprotected RDP configurations, email spam, and malicious downloads, and uses the ChaCha20 encryption algorithm to lock files, excluding “.exe” and text files.
- Lockbit3– LockBit is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States.