Network Security

WatchGuard Threat Lab already reports ransomware volume

WatchGuard Threat Lab already reports ransomware volume
Written by ga_dahmani
WatchGuard Threat Lab already reports ransomware volume

SEATTLE, June 28, 2022 (GLOBE NEWSWIRE) — WatchGuard® Technologies, a global leader in network security and intelligence, advanced endpoint protection, multi-factor authentication (MFA) and secure Wi-Fi, today announced the findings of its latest Quarterly Internet Security Report, detailing the top trends in malware and network security threats analyzed by researchers at the WatchGuard Threat Lab. Key research findings revealed that ransomware detections in the first quarter of this year were double the total reported volume for 2021, the Emotet botnet is back in a big way, the infamous Log4Shell vulnerability tripled its attack efforts, malicious cryptomining activity, and much more.

“Based on the initial increase in ransomware this year and data from previous quarters, we predict that 2022 will break our record for annual ransomware detections,” said Corey Nachreiner, director of security at WatchGuard. “We continue to urge companies to not only commit to simple but critically important measures, but also to adopt a truly unified security approach that can quickly and efficiently adapt to growing and evolving threats.”

Other key findings from this Internet Security Report, which analyzes data from the first quarter of 2022, include:

  • Ransomware goes nuclear – Although Threat Lab’s Q4 2021 Internet Security Report findings showed that ransomware attacks have been trending down year over year, all that changed in Q1 2022 with a massive explosion in detections. of ransomware. Surprisingly, the number of ransomware attacks detected in the first quarter has already doubled the total number of detections for all of 2021.
  • LAPSUS$ surges after REvil crash – The fourth quarter of 2021 saw the fall of the infamous REvil cyber gang, which, in hindsight, opened the door for another group to emerge: LAPSUS$. WatchGuard’s Q1 analysis suggests that the LAPSUS$ extortion group, along with many new ransomware variants such as BlackCat, the first known ransomware written in the Rust programming language, could be contributing factors to an extortion threat landscape. cyber and ransomware ever increasing.
  • Log4Shell makes its debut in the top 10 network attacks list: Publicly disclosed in early December 2021, the infamous Apache Log4j2 vulnerability, also known as Log4Shell, debuted on the top 10 network attacks list at the end of this quarter. Compared to IPS detections added in Q4 2021, Log4Shell’s signature almost tripled in Q1 this year. Featured as the top security incident in WatchGuard’s latest Internet Security Report, Log4Shell garnered attention for earning a perfect 10.0 CVSS score, the highest possible criticality for a vulnerability, and for its widespread use in Java programs and the level of ease in executing arbitrary code. .
  • Emotet’s comeback tour continues: Despite law enforcement disruption efforts in early 2021, Emotet accounts for three of the top 10 detections and the most widespread malware this quarter following its resurgence in Q4 2021. Trojan.Vita detections, which heavily targeted Japan and also appeared in the top five list of malware and Trojan.Valyria use exploits in Microsoft Office to download the Emotet botnet. The third Emotet-related malware sample, MSIL.Mensa.4, can spread via connected storage devices and mostly targeted networks in the US. Threat Lab data indicates that Emotet acts as a dropper, downloading and installing the file from a malware delivery server.
  • PowerShell scripts are leading the charge in growing endpoint attacks: Overall endpoint detections for the first quarter were up approximately 38% from the previous quarter. Scripts, specifically PowerShell scripts, were the dominant attack vector. Accounting for 88% of all detections, scripts alone exceeded the number of overall endpoint detections beyond the figure reported for the previous quarter. PowerShell scripts were responsible for 99.6% of script detections in Q1, showing how attackers are moving towards fileless and offline attacks using legitimate tools. Although these scripts are the clear choice for attackers, WatchGuard data shows that other malware sources should not be overlooked.
  • Legitimate crypto mining operations associated with malicious activity: All three new additions to the list of top malware domains in the first quarter were related to Nanopool. This popular platform adds cryptocurrency mining activity to allow for consistent returns. These domains are technically legitimate domains associated with a legitimate organization. However, connections to these mining pools almost always originate from a commercial or educational network from malware infections versus legitimate mining operations.
  • Companies still face a wide range of unique network attacks: While the top 10 IPS firms accounted for 87% of all network attacks; unique detections reached their highest count since Q1 2019. This increase indicates that automated attacks are focusing on a smaller subset of potential vulnerabilities rather than testing everything in the kitchen sink. However, companies are still experiencing a wide range of detections.
  • EMEA remains a hotspot for malware threats: Overall regional detections of basic and evasive malware show that Fireboxes in Europe, the Middle East, and Africa (EMEA) were affected more than those in North, Central, and South America (AMER) at 57% and 22%, respectively, followed by Asia-Pacific (APAC) at 21%.

WatchGuard’s quarterly investigative reports are based on anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have opted in to share data in direct support of the Threat Lab’s investigative efforts. In the first quarter, WatchGuard blocked a total of more than 21.5 million malware variants (274 per device) and nearly 4.7 million network threats (60 per device). The full report includes details on additional malware and network trends from Q1 2022, recommended security strategies and critical defense tips for businesses of all sizes and in any industry, and more.

For a detailed look at WatchGuard’s research, read the full Q1 2022 Internet Security Report here, or visit: -2022

About WatchGuard Technologies, Inc.

WatchGuard® Technologies, Inc. is a world leader in network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. More than 17,000 security resellers and service providers rely on the company’s award-winning products and services around the world to protect more than 250,000 customers. WatchGuard’s mission is to make enterprise-grade security accessible to businesses of all types and sizes through simplicity, making WatchGuard an ideal solution for midsize businesses and distributed enterprises. The company is headquartered in Seattle, Washington, with offices in North America, Europe, Asia Pacific and Latin America. For more information, visit

For additional information, promotions, and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn company page. Also, visit our InfoSec blog, Secplicity, for real-time information on the latest threats and how to counter them at Subscribe to The 443 – Security Simplified podcast at, or wherever you find your favorite podcasts.

WatchGuard is a registered trademark of WatchGuard Technologies, Inc. All other trademarks are the property of their respective owners.


About the author


Leave a Comment