The report on a global rise in ransomware from security company Avast in its Q2/2022 Threat Report released today reveals that the comany’s researchers also uncovered a new zero-day exploit in Chrome, as well as signals how cybercriminals are preparing to move away from macros as an infection vector.
According to the Avast report, the highest quarter-on-quarter increases in ransomware risk ratio occurred in Argentina (+56%), UK (+55%), Brazil (+50%), France (+42%), and India (+37%).
“Consumers, but especially businesses should be on guard and prepared for encounters with ransomware, as the threat is not going anywhere anytime soon,” explains Jakub Kroustek, Avast Malware Research Director.
“The decline in ransomware attacks we observed in Q4/2021 and Q1/2022 were thanks to law enforcement agencies busting ransomware group members, and caused by the war in Ukraine, which also led to disagreements within the Conti ransomware group, halting their operations.
“Things dramatically changed in Q2/2022. Conti members have now branched off to create new ransomware groups, like Black Basta and Karakurt, or may join other existing groups, like Hive, BlackCat, or Quantum, causing an uptick in activity.”
Avast also reports that its researchers discovered two new zero-day exploits used by Israeli spyware vendor Candiru to target journalists in Lebanon, among others.
The first was a bug in WebRTC, which was exploited to attack Google Chrome users in highly targeted watering hole attacks, but also affected many other browsers. Another exploit allowed the attackers to escape a sandbox they landed in after exploiting the first zero-day. The second zero-day Avast discovered was exploited to get into Windows kernel.
Another zero-day described in the report is Follina, a remote code execution bug in Microsoft Office, which Avast notes was widely exploited by attackers ranging from cybercriminals to Russia-linked APT groups operating in Ukraine - and the zero-day was also abused by Gadolinium/APT40, a known Chinese APT group, in an attack against targets in Palau.
Avast reports that Microsoft is now blocking VBA macros by default in Office applications.
Noting that macros have been a popular infection vector for decades, Avast reports that they were used by threats described in the Q2/2022 Threat Report, including remote access trojans like Nerbian RAT, a new RAT written in Go that emerged in Q2/2022, and by the Confucius APT group to drop further malware onto victims’ computers.
“We have already noticed threat actors beginning to prepare alternative infection vectors, now that macros are being blocked by default. For example, IcedID and Emotet have already started using LNK files, ISO or IMG images, and other tricks supported on the Windows platform as an alternative to maldocs to spread their campaigns,” says Kroustek.
“While cybercriminals will surely continue to find other ways of getting their malware onto people’s computers, we are hopeful that Microsoft’s decision will help make the internet a safer place.”
The full Avast Q2/2022 Threat Report can be found here