Bitdefender Consumer Threat Landscape Report reveals Top 5 Windows Threats
Of the many threats we’ve seen targeting Windows systems last year, five key categories have remained in place: Trojans, PUA’s, Exploits, Miners and Ransomware.
The vast majority of threats detected on Windows platforms in 2021 were trojans, with a 50% share, including specific families like Trickbot, Emoted, Dridex, AgentTesla and many other generic detections. Trojans make up the bulk of the threat spectrum because they are often detected in the primary stages of a given attack. Trojans are extensively used to serve up secondary payloads to achieve the true scope of the attack, not least of which are ransomware, crypto miners and malware designed to exploit unpatched vulnerabilities.
Potentially Unwanted Applications (PUAs), despite not being considered actual malware, come in second with 43% of the detections.
Exploits and Miners come in third and fourth place with 3%, respectively 2% of the detections.
Although extremely profitable and destructive when used against companies and organizations, ransomware only accounts for 1% of the attacks against regular consumers.
1. Trojans
In 2021, Trojans were used extensively against high-profile targets. Despite international efforts to dismantle big-name Trojans like Trickbot, Emotet, Dridex and AgentTesla, cybercriminals continued to leverage these infamous malware families. However, their notoriety has dwindled to oblivion, as the numbers indicate only a handful of highly targeted attacks. Nonetheless, they remain on the map of the top threats to Windows endpoints globally. As in previous years, cybercriminals extensively leveraged Trojans to harvest credentials, steal sensitive data, deliver ransomware or hijack computing power to mine cryptocurrency.
Trickbot
Trickbot is not only used to steal data and harvest credentials. It has also been used in ‘access-as-a-service’ attacks to infect systems with ransomware. It is propagated by executables, batch files, email phishing, Google Docs and even fake sexual harassment claims. It is designed to worm its way across the target network and compromise endpoint after endpoint, gaining persistence. While the US again stands out with a considerable share of attacks, at 23% of the global average, Romania curiously tops the chart in attempted Trickbot infections in 2021, with a 31% share of global attacks leveraging the infamous malware. Latin America is the only other territory registering a double-digit figure (11%) in Trickbot activity. The numbers may seem surprising at first glance, but they’re not. Compared to the intense Trickbot activity of 2020, 2021 was very calm. As international police worked hard to dismantle Trickbot operations, the botnet’s share shrunk to a paltry 1%. But since Trickbot activity was overall much lower than in previous years, the notorious Trojan was likely used only in a handful of targeted attacks. These low detection rates should come as no surprise. Efforts by governments and cybersecurity vendors in the past two years have nearly extinguished the botnet’s operations. Yet Trickbot doesn’t seem to be completely out of the picture. Samples still crop up in our telemetry, albeit more scarcely than before, suggesting that cybercriminals still rely on its unique capabilities. In any case, Trickbot is no longer central to any particular botnet or crime ring at the moment.
Dridex
Dridex is notoriously specialized in stealing bank credentials via tainted macros. Successful Dridex infections typically end up with fraudulent transactions. Like with Trickbot, international efforts have dented its operations by identifying and charging those responsible for developing and operating the malware. Dridex attacks were mostly detected in the US, UK, Romania, Germany and Italy, with other territories recording far fewer attempts by those wielding the banking Trojan.
Agent Tesla
The AgentTesla Trojan typically arrives via spam email. Threat actors use it in password-stealing and surveillance campaigns. Essentially a keylogger, AgentTesla was mostly active in the US, Latin America, Germany, CEE, Romania and Italy. Attackers used spray-and-pray techniques to infect as many internet users as possible and did not discriminate between targets. AgentTesla attacks notably increased from quarter to quarter, peaking in the final months of 2021.
Emotet
Emotet malware initially debuted as a simple banking Trojan aimed at stealing credentials from infected hosts. In recent years, Emotet operators reconfigured the malware to work as a ‘loader’ and deliver second-stage payloads, which can be anything from spyware to ransomware. Like Trickbot and Dridex, Emotet has had a tiny market share among Trojans in general (due to the reasons stated in the Trickbot section). Threat actors have historically used Emotet as part of a botnet rented out to affiliates. Inspired by a typical Infrastructure-as-a-Service (IaaS) model, malicious actors have used the botnet to buy access to already-infected computers and deploy ransomware.
2. Potentially Unwanted Applications (PUA)
Accounting for 43% of all threats directed at Windows systems, PUAs walk the thin line between malware and nuisance. While PUAs generally only hog system resources, often they also display aggressive ads and offer secondary downloads that might hide actual threats, like crypto miners or data-stealing malware. PUA operators prefer large territories with massive PC user bases. The US and Latin America again make up the bulk, with 25% and 20% of PUA reports, respectively. This high concentration of PUA activity on a single continent leaves all other areas in the single digits, as shown below. The only single-digit region where PUA activity is fairly concentrated compared to others is France, with 9% of PUA reports. Unlike crypto miners, PUAs seem more active in the first half of the year.
3. Exploits
Exploits saw a fairly even distribution of exploit-based attacks, with the US registering a notably higher number of attempted attacks (30%) – as is typically the case, year after year. Second in line was the Asia-Pacific (APAC) region, with a 10% share, followed by Latin America, Germany and the UK with 9%, Romania at 5%, Central-Eastern Europe along with Italy at 7%, and France, Spain and Australia at 4%.
4. Coin Miners
There’s no shortage of ways to get infected with a coin miner. From data breaches to PUAs to warez downloads, coin miners crop up all the time in our data, and 2021 was no exception. Like most threats analyzed in this report, coin mining is mostly prevalent in high-yield regions where computing power abounds. As such, the Americas again take the lion’s share, with a combined 33%, trailed by the Asia-Pacific region with 10%. Other areas analyzed here are seeing fairly-even, single-digit distribution. Mining has been fairly even throughout the year, with a slight increase in reports towards the second half of the year.
5. Ransomware
2021 was an active year for ransomware operators. Solar Winds, The Colonial Pipeline, Kaseya and Brenntag are just some of the big names involved in high-profile ransomware attacks that the US Treasury tied to $5.2 billion worth of payments during 2021 alone. Ransomware reports are typically more common in high-yield geographies, and 2021 was no exception. Extortionists favored territories with big-name companies and large critical infrastructures – key traits that indicate a victim is likely to pay up. The US takes the lead of the pack, with 33% of attacks targeting the North American territory, followed by Germany with a significant 12% share, Latin America and Italy with 11%, UK and APAC with 8% and 6% respectively, Romania and Australia with 4% each, and CEE, France and Spain with 3% each.
If you want to find out more, or check the threat list for other platforms you can access the 2021 CONSUMER THREAT LANDSCAPE REPORT here.
