Trends reveal the “nastiest malware” of 2022.
N2K logoOct 5, 2022

Most of it's ransomware. Open Text has detailed the worst malware of the year, highlighting many strains of ransomware. Plus, some notes on Conti from Flashpoint.

Trends reveal the “nastiest malware” of 2022.

Open Text has released a report detailing the nastiest malware of 2022. Emotet, LockBit, Conti, Qbot, Valyria, and CobaltStrike/Brute Ratel, as well as some honorable mentions, are highlighted in the report.

Emotet tops the leader board.

Emotet is highlighted first, described in the report as “the most successful botnet in existence.”

“Emotet is just the first stage, and its job is to create a foothold on the victim's computer for follow-up malware that will then move laterally and compromise the rest of the environment before bringing in the final payload of ransomware. Emotet is so effective and resilient, it is crowned our king of nastiest malware,” the report says.

Runners up: LockBit and Conti.

LockBit, referred to by the report as “this year's most prolific and successful ransomware group,” has provided Ransomware-as-a-Service (RaaS) for about three years, and has evolved into triple extortion. It is noted that LockBit is the only ransomware that accepts payments in Bitcoin, Monero, and Zcash.

Conti was highlighted next as the nastiest malware, despite them appearing to be “gone.”

“If you’ve heard of HelloKitty, AvosLocker, Hive, BlackCat, and BlackByte just know that Conti group affiliates are now behind those ransomware groups,” the report reads.

Also-rans: Qbot, Valyria, and Cobalt Strike.

Qbot is highlighted next, described as the “oldest infostealing trojan still receiving updates today.” Qbot has been dropped by Emotet, and partnered with Conti, ProLock and Egregor.

Valyria is a former banking trojan turned malspam botnet. The botnet utilizes email attachments that turn into malicious scripts that eventually spiral into ransomware. It has been seen partnering with Emotet, and has been noted to be difficult to detect and remediate due to its complexity.

Cobalt Strike is a pentesting tool created by white hat hackers that has been mishandled by bad actors. The report highlights how the tool is designed to evade defenses, but doesn’t receive the same attention as malware as a service.

Dishonorable mentions: Shlayer and XMRig.

Honorable mentions include Shlayer and XMRig, and included in the report are details on how businesses and individuals can stay safe from malware threats.

Getting to know Conti.

In a separate study, Flashpoint has offered a closer look at the infamous Conti ransomware gang, one of the most prolific threat groups in history. Conti gained significant notoriety this year leaked private chats between Conti members and a fracture of the group indicated there were internal divisions that could threaten the gang’s future. First observed around February 2020, Conti is led by Russia-based threat actors. In August of that year it launched a data leaks site to publish confidential documents stolen during its attacks, and by the end of the year they had leaked the data of over one hundred fifty companies. It’s considered a ransomware-as-a-service (RaaS) variant, but it’s unique because, rather than giving initial deployers a percentage of the ransom payment, affiliates are paid a set wage. Notable victims include Japanese electronics manufacturer JVCKenwood, Ireland’s Health Service, and the Costa Rican government, whose officials were forced to declare a national emergency in the wake of the attack.