Freely subscribe to our NEWSLETTER

We saw some previous big players exit the scene this year, some vacation to the beach and some off to prison. In any event, 2021 was one where cyberthreats, especially ransomware, dominated the news.

Ransomware extortion has evolved from a trend into a new normal. Every major ransomware campaign is running the double extortion method, a scary prospect for small businesses. Not only are they stealing and locking files away, but the bad actors will absolutely leak data in the most damaging way if a ransom settlement is not reached. The good news (I guess) is that last year’s average ransom payment of $200,000 was its peak, and today’s average is just below $150,000.

The bad news is that hackers are spreading the love and targeting businesses of all sizes. In fact, most victims are small businesses that end up paying around $50,000. Ransomware actors are getting better with their tactics, recruiting talent and providing a streamlined user experience. The whole process is terrifyingly simple and for every one that gets shut down, two spring up to replace it – just like a hydra head, or zombies! To top it off, supply chain attacks are becoming a massive issue.

Phishing continues to be key for these campaigns and it’s typically the first step in compromising a business for the nastiest malware. This highlights the importance of user education – after all, every monster has a weakness. You just need to stake a vampire, cut off the head of a zombie or train users not to click on these phishing lures or to enable macros from the attachments – these methods are proven in stopping these creatures (and malware) in their tracks.

While the list below may define payloads into different categories of malware, note that many of these bad actor groups contract work from others. This will allow each group to specialize on their respective payload and perfect it.
So, in no particular order, here goes…

Lemonduck – LemonDuck has only been around for a couple years as a well-known botnet and cryptomining payload. It’s one of the most annoying payloads because it will use just about every infection vector in the book like COVID-themed emails, exploits, fileless powershell modules and brute force. But in 2021 LemonDuck grew more popular and even added some new features like stealing credentials, removing security protocols and even dropping more tools for follow up attacks. To make matters worse, LemonDuck will attack Linux systems as well as Windows, which is both handy and rare. It will use older vulnerabilities to compromise which can stay unpatched when victims only focus on patching the recent and popular vulns.

An interesting quirk is that LemonDuck removes other hackers from victim’s devices by eliminating competing malware infections. LemonDuck wants to be the biggest, Nastiest Malware and they even prevent new infections by patching the very vulnerabilities it used to gain access. It mines XMR because that is the friendliest hashing algorithm for consumer-grade hardware and therefore secures earns the most profits for cybercriminals. These profits are instant and are generated by the power bill of the victim over time. There is no ransom demanded, and therefore no consent or knowledge of the attack/breach is needed by the victim – making this very nasty.

REvil – REvil of course makes our list. Everyone, even those who aren’t into infosec, heard about the July Kaseya supply chain attack targeting mainly American companies right before the holiday. They also attacked countless other businesses, including global meat supplier JBS. It’s no surprise that a group with a name like REvil would make our list year after year.

You may have heard of ransomware named Gandcrab back in 2018, or Sodinokibi in 2019. Well, it’s all the same group and this year they were/are REvil. They offer ransomware as a service (Raas), which means they make the encrypting payload and facilitate the extortion leak sites on the dark web.

Affiliates will conduct the attack (however they want), use the ransomware payload and all profits are shared. Shortly after the Kaseya attack and subsequent meetings between the White House and Vladimir Putin, REvil payments and leak sites went down and the onion links no longer worked.

"Upon uncorroborated information, REvil server infrastructure received a government legal request forcing REvil to completely erase server infrastructure and disappear. However, it is not confirmed," - Advanced Intel’s Vitali Kremez
As with many nasty malwares on this list, REvil is probably not dead (their leak site on the dark web came back online in early September). After taking what is presumed to be a nice holiday break, they are turning their infrastructure back on – so expect a sequel.

Trickbot – It’s been around for a decade now as a popular banking trojan that’s evolved into one of the most widely recognized botnets in existence. Used by a large chunk of the cyber-underworld, Trickbot is linked to many ransomware groups due to its versatility and resilience. Late last fall, the DoD, Microsoft and others carried out attacks on the groups botnet and almost destroyed it. But like any good zombie, they rose again to become the leading botnet after Emotet’s shutdown.

Trickbot infections almost always lead to ransomware. Once on the machine, it moves laterally through networks, using exploits to propagate and gather as many credentials as possible. Sometimes, it takes weeks or months until all domain credentials are gathered. Once they have full control of the environment, they make sure the ransomware will do the most damage with mitigations likely to fail.

Dridex - Another very popular banking trojan and infostealer that has been around for years, Dridex is tightly linked to ransomware like Bitpaymer/Doppelpaymer/Grief. Dridex was dropped on machines from Emotet until their shutdown, but now runs its own malspam campaigns.
Once on one machine, it also moves laterally through a network to drop dridex loaders on every machine to create persistence. And just like Trickbot, Dridex takes its time gathering credentials until gaining full control. From there, they can do the most damage while preventing mitigation strategies from shutting them down.

Dridex authors have been known as the “Evil Corp” group, whose leader is wanted by the FBI for the maximum reward of $5M

Alleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI
Conti – This ransomware group is no stranger to our Nastiest Malware list, where its graced these these pages before as the ransomware operators behind Ryuk (which uses Emotet and Trickbot). In fact, they were the FBI’s most successful ransomware group of 2019. While Conti has been deployed from RDP, it’s not usually brute-forced from unsecured RDP. Most often the credentials are grabbed or phished elsewhere, from an info stealing trojans like Trickbot or Qakbot.

These ransomware authors also operate a breach/leak site to further intimidate victims into paying ransoms. Conti made plenty of headlines and breached many large organizations in 2021, but hasn’t gone dark yet. We’ve also noticed that LockFile ransomware lists a Conti gang’s email address as a contact for payment, linking the two groups.

Cobalt Strike – Cobalt Strike is a pen testing tool designed by white hats. Its purpose is to help red teams simulate attacks so hackers can infiltrate an environment, determine its security gaps and make the appropriate changes. There are several very powerful and useful features in this tool like process injection, privilege escalation, credential and hash harvesting, network enumeration, lateral movement and more.

All these are attractive to hackers, so it’s not surprising that we’ve seen Cobalt Strike used by the bad guys OFTEN. It’s unique for us to list a tool for white hats on among our Nastiest Malware, but this tool is easy to use for scalable, customized attacks. It’s no wonder so many threat actors are adopting it as one of the tools in their arsenal.

Honorable mentions

Hello Kitty – This group gets an honorable mention because of their unique attack on VMWare ESXI using exploits. It was made famous by breaching CD Projekt RED and stealing their source code for games, most notably for CyberPunk 2077 and Witcher 3.
DarkSide – The colonial pipeline attack was the most notable attack of 2021, causing a cascading gas shortage compounded by panic buying. It reminded us how disruptive ransomware attacks can be and its surrounding hype was reminiscent of Wannacry. The RaaS group claimed it had no intention of attacking infrastructure and blamed an affiliate for the pipeline. But just a few weeks after the attack, a similar RaaS emerged called Black Matter and claimed to attack all environments BUT medical and state institutions. They also claimed that they were not the same people. But honestly, who believes that?

Gravestone (shutdown malware) – RIP [Rest in Pieces]
• Emotet – Looks to be “dead dead”
• Ragnarok – Also likely to remain six feet under

“Dead” but will absolutely return from the underworld [what creative spooky we do for this?]
• REvil – Definitely coming back rebranded
• DarkSide – Has likely already returned rebranded as Black Matter
• Maze – Returned from the dead as Egregor (not to be confused with Frankenstein’s assistant Igor)
• Bitpaymer/Doppelpaymer – This Evil Corp group haunts its victims again under the name Grief