Ransomware, Malware, Threat Management

The most prolific malware strains of 2021 are yesterday’s news with a modern twist

Skull message on computer screen.
In a joint publication released this week, the U.S. Cybersecurity and Infrastructure Security Agency and the Australian Cyber Security Centre laid out 11 of the most prolific malware strains tormenting businesses, governments and critical infrastructure last year. (Image credit: Art Alex via Getty)

The most popular strains of malware in 2021 were dominated by old characters with new twists, according to the U.S. and Australian governments.

In a joint publication released this week, the U.S. Cybersecurity and Infrastructure Security Agency and the Australian Cyber Security Centre laid out 11 of the most prolific malware strains tormenting businesses, governments and critical infrastructure last year. They include trojan malware like the credential and information-stealing Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, as well as backdoor trojans like Remcos and the multi-purpose Trickbot hacking tool.

All of those strains have been in circulation for at least five years, while two others on the list — Qakbot and Ursnif — have been used in hacking campaigns for more than a decade. The agencies say their enduring effectiveness over the years and their domination of 2021 can largely be attributed to the way cyber criminal actors have worked to modify, alter or re-use the same exploits to evade detection and infect new hosts.

“Updates made by malware developers, and reuse of code from these malware strains, contribute to the malware’s longevity and evolution into multiple variations,” the U.S. and Australian cyber agencies wrote, adding the silver lining that “malicious actors’ use of known malware strains offers organizations opportunities to better prepare, identify, and mitigate attacks from these known malware strains.”

Qakbot and Trickbot are both part of larger botnets that are used to hijack devices that can later be used as malware delivery vehicles to further infect other machines and gain initial access into organizations that can later be leveraged by ransomware actors and other cybercriminal organizations for more substantial compromises. Trickbot in particular has been associated by multiple threat intelligence organizations as an initial access route for the Conti ransomware gang, which U.S. government reporting attributed to more than 450 ransomware attacks in 2021.

The developers of these malware strains sit at the front-end of a cybercriminal ecosystem whereby they continually tweak their existing malware which goes to distributors and brokers who, in turn, sell them to end-users looking to leverage the malware in ongoing hacking campaigns.

This work is highly lucrative and — because many developers operate from Russia or other countries outside of U.S. or allied legal jurisdiction — comparatively low-risk.

The Biden administration spent its first year in office engaging with the Russian government, up to and including phone calls between presidents Joe Biden and Vladimir Putin, that specifically focused on ransomware and other cybercriminal groups operating freely within Russian borders. Those warnings did not lead to a measurable decrease in ransomware attacks from groups from Russian hacking groups.

In January 2022, a month before the invasion of Ukraine, Russian law enforcement authorities conducted arrests and raids for members of the REvil ransomware gang. At the time, it was widely interpreted as an attempt to head off damaging sanctions and other actions by the U.S. and Western governments in response to the invasion, which U.S. intelligence had been publicly forecasting for months.  

The arrests represented “a signal to the United States that this is the type of actions the Russians are capable of taking if they choose to, and one they won’t take if there is significant sanctions against the Russian economy for Ukraine,” said Dmitri Alperovitch, founder of the Silverado Policy Accelerator and a former chief technology officer of CrowdStrike, in January.

CISA and the Australian CSC said that organizations operating critical infrastructure should take a number of actions in the short term, like keeping software regularly patched (preferably through CISA’s Known Exploited Vulnerabilities catalog) implementing multifactor authentication, securing and monitoring remote desktop protocol and risky services that grant high-level access, having data backups in place and conducting user trainings around phishing and other tactics that often serve as entry points to larger infections.

Over the long term, protections like micro-segmentation may be warranted, as the CSC “has observed ransomware and data theft incidents in which Australian divisions of multinational companies were impacted by ransomware incidents affecting assets maintained and hosted by offshore divisions outside their control.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.