Hackers are leveraging AI to develop new malware strains at an alarming rate. Researchers estimate that over 1,500 new variants are introduced daily.

The good news is that malware is still almost exclusively delivered via email. This makes it relatively easier to detect and defend against. While the malware landscape is continually evolving, several strains have emerged as particularly prevalent and dangerous.

Here are five of the most popular malware strains currently being used by hackers:

1. Emotet

Type: Banking Trojan and Malware Distributor

Description: Initially designed as a banking Trojan, Emotet has evolved into a highly modular and flexible threat that serves as a dropper for other types of malware. Emotet exhibits worm-like behaviors, allowing it to infect entire networks by brute-forcing credentials and writing to shared drives. Furthermore, Emotet utilizes modular Dynamic Link Libraries to constantly adapt and enhance its functionalities. It typically spreads via phishing emails with malicious attachments or links, enabling it to distribute payloads like ransomware and other Trojans. Often, hackers will leverage compromised Word documents to inject Emotet. Since 2020, CISA has detected over 16,000 alerts related to Emotet.

Recent Attack Example: In 2023, Emotet targeted the Internal Revenue Service (IRS) with a phishing campaign. The malicious attachments, when opened, installed Emotet, which subsequently downloaded other malware such as TrickBot and Ryuk ransomware, causing significant data breaches and operational disruptions.

2. Ryuk

Type: Ransomware

Description: Ryuk is a sophisticated ransomware strain known for targeting large organizations and demanding high ransom payments. It is often delivered through phishing emails, compromised Remote Desktop Protocol (RDP) connections, or other malware like TrickBot. Ryuk encrypts files on infected systems, making them inaccessible until a ransom is paid.

Recent Attack Example: In late 2023, Universal Health Services (UHS), a major healthcare provider, suffered a Ryuk ransomware attack. The attackers compromised an RDP connection to deploy Ryuk, which encrypted critical patient data and systems, leading to a multi-million dollar ransom payment to restore operations and data access.

3. TrickBot

Type: Banking Trojan and Modular Malware

Description: TrickBot started as a banking Trojan but has developed into a versatile malware with numerous modules that can perform various malicious activities, such as credential theft, reconnaissance, and acting as a dropper for other malware, including ransomware like Ryuk. TrickBot was developed by Russia-based hackers, Wizard Spider, who are also known for their use of Emotet.

Recent Attack Example: In early 2024, BancoEstado, a large financial institution in Chile, was targeted by a TrickBot attack. The initial infection occurred through a spear-phishing campaign, allowing TrickBot to harvest credentials and gain access to sensitive financial systems. The malware also facilitated the deployment of Ryuk ransomware, causing significant disruptions and data encryption.

4. Sodinokibi (REvil)

Type: Ransomware-as-a-Service (RaaS)

Description: REvil, also known as Sodinokibi, is a prominent ransomware strain that operates as a RaaS, allowing affiliates to distribute the ransomware in exchange for a share of the profits. It encrypts victims' files and demands ransom payments, often threatening to release stolen data if the ransom is not paid.

Recent Attack Example: In 2024, Cognizant, a major global IT services company, was hit by a REvil ransomware attack. The attackers exploited a vulnerability in remote access software used by Cognizant's clients, deploying REvil across multiple customer environments. The attack encrypted critical data and demanded large ransoms in cryptocurrency, severely impacting operations and causing significant financial losses.

5. Qbot (QakBot)

Type: Banking Trojan and Malware Dropper

Description: Qbot, also known as QakBot, is a banking Trojan that has been active for over a decade. It is known for its persistence and ability to evolve. Qbot can steal banking credentials, log keystrokes, and deploy additional malware. It often spreads through phishing campaigns and exploits vulnerabilities in outdated software.

Recent Attack Example: In 2023, the City of Torrance in California was attacked by Qbot malware. Phishing emails with malicious links led to the installation of Qbot on municipal computers. Qbot harvested credentials and spread through the network, eventually enabling a ransomware attack that encrypted important municipal data, disrupting city services and operations.

Conclusion

These malware strains are popular among cybercriminals due to their effectiveness, versatility, and profitability. They often leverage sophisticated techniques to evade detection, making them significant threats to organizations and individuals alike. Staying informed about these threats and employing robust cybersecurity measures is crucial in defending against them.

Would you like to protect your organization from malware, but aren’t sure where to start? Silent Breach offers a full range of malware protection and advisory services to meet your needs. Contact us for a same-day quote.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.