Analysis of 200,000+ malware files demonstrates shift towards ransomware
Picus Security, the pioneer of Breach and Attack Simulation (BAS) technology, today announced the release of its 2021 Red Report. The report is a comprehensive analysis of attacker behavior and highlights the top 10 most widely seen attack techniques over the last 12 months.
In compiling its research, Picus analyzed more than 200,000 malware samples to identify the behaviors they exhibit. In total, the company’s researchers observed 2.2 million malicious actions, which they mapped to the MITRE ATT&CK framework, a widely used knowledge base of adversary tactics and techniques.
The Red Report 2021 Top Ten list of the most common ATT&CK techniques demonstrates how cybercriminals have shifted towards ransomware over the last 12 months. In addition to being more likely to encrypt a target’s data, it shows that malware variants in 2021 are increasingly sophisticated and evasive, making it harder to detect and respond to them.
Key findings of the Red Report 2021 include:
- Malware is rapidly becoming more sophisticated. In 2020, Picus reported that, on average, 9 malicious actions were exhibited by a single malware file, a figure which has risen to 11 actions per file in 2021.
- 2021 has seen a spike in malicious malware designed to encrypt a target’s data. The ATT&CK technique ‘Data Encrypted for Impact’ enters the Red Report Top Ten for the first time, with one in five malware variants now able to encrypt files.
- Five of the top ten techniques observed by Picus are categorized under ATT&CK’s “Defense Evasion” tactic. Two thirds of malware files include at least one such technique, underlining attackers’ determination to avoid detection.
- 5% of malware files analyzed in the report exhibit virtualization/sandbox evasion tactics. These malware variants can change their behavior in a virtual machine environment (VME) or sandbox, which helps them evade detection and analysis.
- ‘Command and Scripting Interpreter’ is the most prevalent ATT&CK technique observed by Picus, exhibited by a quarter of all malware samples analyzed. This demonstrates the extent to which attackers are abusing legitimate applications like PowerShell to execute their commands, rather than creating custom tools.
Picus’ in-depth analysis of hundreds of thousands of real-world threat samples were collected from a wide variety of sources, including commercial and open-source threat intelligence services, security vendors, researchers, malware sandboxes, and forums.
“Variant has become a word that strikes panic into most people, but security teams have been concerned by the threat of new malware variants for years,” said Dr Süleyman Özarslan, co-founder of Picus Security and VP of Picus Labs.
“The 2021 Red Report top ten highlights the proliferation of ransomware and the extent to which attackers continue to vary their approach, including using defense evasion and other sophisticated techniques to achieve their objectives.”
“Only by adopting a threat-centric approach can organizations fully understand how prepared they are to defend against the most common attack techniques and develop the capabilities needed to prevent, detect and respond to them continuously.”
The findings of the Red Report will be discussed in more detail at SOCReload 2021, Picus Security’s virtual event for security professionals which is taking place on 1st December from 14.00 GMT. The theme of this year’s event is ‘The Modern SOC’ and features speakers from organizations including SANS, MCAFEE, VMWARE, DARKTRACE, SECURONIX, CISCO TALOS and more.
For more information, visit www.picussecurity.com