sign in sign up
<<
Home , McAfee

REPORT

McAfee

Labs

Threat

Report

06.21 REPORT

Table of Contents

3 Letter from Our Chief Scientist

4 : From Babuk to DarkSide and Beyond 4 Q1 2021 New Ransomware chart 5 Daily, Weekly, Monthly Ransomware Charts 7 Top Ransomware Families and Techniques 7 Unique Ransomware Families 8 Ransomware Coverage and Protection

9 McAfee Global Threat Intelligence 9 File by Country Charts 10 Queries and Detections

11 Threats to Sectors and Vectors 11 Publicly Disclosed Security Incidents by Continent 12 Publicly Disclosed Security Incidents by Country 13 Publicly Disclosed Security Incidents by Industry 14 Publicly Disclosed Security Incidents by Vectors

15 Malware Threats Statistics

20 TOP MITRE ATT&CK TECHNIQUES APT/CRIME

23 Resources 23 McAfee Labs and Researchers on

24 About McAfee

24 About McAfee Labs and Advanced Threat Research

2 McAfee Labs Threats Report, JUNE 2021 REPORT

Writing and Research

In this report we introduce additional context Christiaan Beek into the biggest stories dominating the year Mo Cashman John Fokker thus far and we can look no further than recent Melissa Gaffney Steve Grobman ransomware attacks. While the topic itself is not Tim Hux Niamh Minihane new, there is no question that the threat is now Lee Munson Chris Palm truly mainstream. Tim Polzer Thomas Roccia Raj Samani Letter from Our Chief Scientist Craig Schmugar

What a 2021 we have had thus far. In this report we introduce additional context into the biggest stories dominating the year thus far and we can look no further than recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream.

This Threats Report provides a deep dive into ransomware, in particular DarkSide, which has resulted in an agenda item in talks between U.S. President Biden and Russian President Putin. While we have no intention of detailing the political landscape, we certainly do have to acknowledge that this is a threat disrupting our critical services. Furthermore, adversaries are supported within an environment that make digital investigations challenging with legal barriers that make the gathering of digital evidence almost impossible from certain geographies.

That being said, we can assure the reader that all of the recent campaigns are incorporated into our products, and of course can be tracked within our MVISION Insights preview dashboard.

This dashboard shows that—beyond the headlines—many more countries have experienced such attacks. What it will not show is that victims are paying the ransoms, and criminals are introducing more Ransomware-as-a-Service (RaaS) schemes as a result. With the five-year anniversary of the launch of the No More Ransom initiative now upon us it’s fair to say that we need more global initiatives to help combat this threat.

We hope you enjoy this Threats Report, please stay safe.

—Raj Samani McAfee Fellow, Chief Scientist

Twitter @Raj_Samani

3 McAfee Labs Threats Report, JUNE 2021 REPORT

Ransomware: From Babuk to DarkSide and Beyond Letter from Our Chief Scientist While the DarkSide Ransomware-as-a-Service (RaaS) attack on Colonial Ransomware: From Babuk Pipeline held recent headlines hostage in Q2 2021, the ransomware to DarkSide and Beyond activity story actually went deeper in the first quarter of the year. McAfee Global Threat Babuk, Conti, Ryuk, and REvil, preceded DarkSide in establishing 2021 Intelligence ransomware trends. Threats to Sectors and We observed that “smaller” ransomware campaigns decreased in Q1 Vectors while the Ransomware-as-a-Service campaigns targeted and breached Malware Threats larger organizations and companies. The number of Q1 samples dropped Statistics as more attackers shifted from mass-spread campaigns, toward fewer, but more lucrative targets. Most of these larger, targeted victims TOP MITRE ATT&CK TECHNIQUES APT/CRIME received a custom created variant of the ransomware family at a low volume. Resources

Here’s a breakdown of McAfee Labs Ransomware research and findings About McAfee from Q1 of 2021: About McAfee Labs and Advanced Threat Research Q1 2021 New Ransomware chart

New Ransomware

6,000,000 5.12M 5,000,000

4,000,000 3.02M 3,000,000 2.27M 2.51M

2,000,000 1.42M 1.25M 1.29M

1,000,000

0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021

Source: McAfee Labs, 2021.

Figure 1. While unique ransomware detected in Q1 2021 decreased 50% compared to Q4 2020 detections—in part following a drop in Cryptodefense—ransomware remained a most serious threat against larger organizations and businesses in Q1 and Q2 2021.

4 McAfee Labs Threats Report, JUNE 2021 REPORT

Daily, Weekly, Monthly Ransomware Charts Letter from Our Chief Scientist

Ransomware Detections Ransomware: From Babuk Daily to DarkSide and Beyond

1/1/21 499 McAfee Global Threat 1/2/21 484 1/3/21 1,028 Intelligence 1/4/21 1,499 1/5/21 1,024 1/6/21 877 1/7/21 642 Threats to Sectors and 1/8/21 336 1/9/21 773 Vectors 1/10/21 808 1/11/21 597 1/12/21 2,956 1/13/21 2,135 Malware Threats 1/14/21 5,116 1/15/21 3,507 Statistics 1/16/21 1,364 1/17/21 2,204 1/18/21 1,971 1/19/21 2,633 TOP MITRE ATT&CK 1/20/21 1,973 1/21/21 1,894 TECHNIQUES APT/CRIME 1/22/21 204 1/23/21 2,824 1/24/21 1,732 1/25/21 381 Resources 1/26/21 2,271 1/27/21 4,415 1/28/21 244 1/29/21 2,756 About McAfee 1/30/21 1,682 1/31/21 2,328 2/1/21 2,187 About McAfee Labs and 2/2/21 2,997 2/3/21 2,244 2/4/21 1,698 Advanced Threat Research 2/5/21 3,053 2/6/21 1,043 2/7/21 1,449 2/8/21 2,571 2/9/21 1,714 2/10/21 2,373 2/11/21 1,726 2/12/21 226 2/13/21 112 2/14/21 1,572 2/15/21 1,736 2/16/21 1,915 2/17/21 2,766 2/18/21 2,005 2/19/21 1,692 2/20/21 1,909 2/21/21 1,898 2/22/21 2,821 2/23/21 2,776 2/24/21 3,924 2/25/21 2,342 2/26/21 2,213 2/27/21 1,848 2/28/21 2,374 3/1/21 2,751 3/2/21 308 3/3/21 2,114 3/4/21 2,139 3/5/21 173 3/6/21 1,719 3/7/21 2,126 3/8/21 2,647 3/9/21 2,818 3/10/21 2,607 3/11/21 2,487 3/12/21 2,842 3/13/21 1,544 3/14/21 2,372 3/15/21 1,852 3/16/21 1,365 3/17/21 2,167 3/18/21 2,999 3/19/21 1,671 3/20/21 1,548 3/21/21 1,967 3/22/21 2,232 3/23/21 1,508 3/24/21 5,284 3/25/21 5,634 3/26/21 2,006 3/27/21 202 3/28/21 1,114 3/29/21 1,526 3/30/21 1,153

0 1,000 2,000 3,000 4,000 5,000 6,000

Source: McAfee Labs, 2021.

Figure 2. A snapshot of ransomware detected among McAfee clients in Q1 2021 includes a daily high of 5,634 detections on March 25 and an average of 2,417 detections per day during the last week of March.

5 McAfee Labs Threats Report, JUNE 2021 REPORT

Letter from Our Chief Ransomware Detections Scientist Weekly Ransomware: From Babuk to DarkSide and Beyond 1/1/21 2,011

1/3/21 6,179 McAfee Global Threat Intelligence 1/10/21 16,483 1/17/21 13,703 Threats to Sectors and 1/24/21 13,481 Vectors 1/31/21 15,550 Malware Threats 10,171 2/7/21 Statistics 2/14/21 13,595 Week of Week 2/21/21 17,822 TOP MITRE ATT&CK TECHNIQUES APT/CRIME 2/28/21 11,578 3/7/21 17,071 Resources 3/14/21 13,974 About McAfee 3/21/21 18,833 3/28/21 3,793 About McAfee Labs and 0 5,000 10,000 15,000 20,000 Advanced Threat Research

Source: McAfee Labs, 2021.

Figure 3. The most ransomware detections (18,833) in Q1 2021 were recorded in the week of 3/21-3/27.

Ransomware Detections Monthly

January 2021 53,157

February 2021 57,184

March 2021 60,965

0 20,000 40,000 60,000 80,000

Source: McAfee Labs, 2021.

Figure 4. The greatest number of Q1 Ransomware Detections were recorded in March.

6 McAfee Labs Threats Report, JUNE 2021 REPORT

Top Ransomware Families and Techniques Letter from Our Chief Scientist

Ransom:W32/REvil (1,358) Ransomware: From Babuk Ransom:Win/RansomeXX (225) to DarkSide and Beyond Ransom:W32/Ryuk (160) Ransom:W32/NetWalker (81) McAfee Global Threat Ransom:W32/Thanos (56) Intelligence Ransom:W32/MountLocker (50) Threats to Sectors and Ransom:W32/WastedLocker (47) Vectors Ransom_Exc0rcist (45) Ransom:W32/Conti (28) Malware Threats Ransom:W32/Maze (18) Statistics Ransom:Win/Babuk (13) Ransom:W32/Suncrypt (12) TOP MITRE ATT&CK Ransom/W32_Clop (1) TECHNIQUES APT/CRIME Ransom/W32_DarkSide (3) Resources

Figure 5. Ransomware-related malware families detected in Q1 of 2021 reveals About McAfee the prevalence of Revil, RansomeXX, and Ryuk prior to DarkSide’s headline- grabbing hack of Colonial Pipeline’s systems in May of Q2. About McAfee Labs and Advanced Threat Research

Unique Ransomware Families Ransom/W32_DarkSide

Unique Ransomware FamiliesRansom/W32_Clop

25 Ransom:W32/Suncrypt 20 19 20 Ransom:Win/Babuk 17 16

15 Ransom:W32/Maze 11 Ransom:W32/Conti9 families counted 10

Amount of unique ransomware Amount of unique Ransom_Exc0rcist 5 October November December January February March 2020 2020 2020 2021 Ransom:W32/WastedLocker2021 2021

Source: McAfee Labs, 2021. Ransom:W32/MountLocker Figure 6. The amount of unique ransomware families decreased from 19 in January 2021 to 9 in March 2021, following the Q1 trend of fewer campaigns targeting larger organizations and businesses with potentiallyRansom:W32/Thanos more lucrative ransoms.

Ransom:W32/NetWalker

Ransom:W32/Ryuk

Ransom:Win/RansomeXX

Ransom:W32/REvil

7 McAfee Labs Threats Report, JUNE 2021 REPORT

Ransomware Coverage and Protection Letter from Our Chief Scientist When it comes to the actual ransomware binary, we strongly advise updating and upgrading your endpoint protection, as well as enabling Ransomware: From Babuk to DarkSide and Beyond options like tamper protection and rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more McAfee Global Threat details. Intelligence

McAfee is a proud partner of the Ransomware Task Force, which released Threats to Sectors and a details on how ransomware attacks are occurring and countermeasures Vectors that should be taken. As many of us have published, presented on, and Malware Threats released research upon, it is time to act. Statistics

TOP MITRE ATT&CK TECHNIQUES APT/CRIME

Resources

About McAfee

About McAfee Labs and Advanced Threat Research

8 McAfee Labs Threats Report, JUNE 2021 REPORT

McAfee Global Threat Intelligence Letter from Our Chief Scientist Based on activity from millions of sensors world-wide and an extensive Ransomware: From Babuk research team, McAfee Labs publishes timely, relevant threat activity to DarkSide and Beyond via McAfee Global Threat Intelligence (GTI). This always-on, cloud- based threat intelligence service enables accurate protection against McAfee Global Threat known and fast-emerging threats by providing threat determination Intelligence

and contextual reputation metrics. McAfee GTI integrates directly with Threats to Sectors and our security products, protecting against emerging threats to reduce Vectors operational efforts and time between detection and containment. Malware Threats Here are notable statistics from Q1 2021. Statistics

TOP MITRE ATT&CK File by Country Charts TECHNIQUES APT/CRIME

File Detection Rate % of Top 20 Countries Resources (based on query volume) for Consumer and Enterprise About McAfee 1.5 Country: file detection rate % About McAfee Labs and Advanced Threat Research

Russia (13.38%) 1.0

Turkey (4.8%)

0.5

Poland (1.19%) Italy (1.27%) China (1.26%) -0.0 India (1.02%) Germany (0.94%) Singapore Spain (0.7%) (0.62%) log (File Detection Rate log %) (File Detection Brazil (0.66%) Netherlands Canada (0.51%) (0.42%) France Belgium United States (0.47%) (0.41%) (0.31%) United Kingdom (0.35%) -0.5 South Mexico (0.43%) Korea (0.39%) Australia (0.39%)

Japan (0.14%) -1.0 10.0 10.2 10.4 10.6 10.8 11.0 11.2 11.4 11.6 11.8 12.0

log (Query Volume)

Source: McAfee Labs, 2021.

Figure 7. In Q1 2021, the United States had the highest query volume of 775 billion queries with a low detection rate of 0.31%. Of the 55 billion GTI queries in Russia, malware was detected 13.38% of the time, resulting in Russian customers experiencing the highest detection rate of malware among the top 20 countries. Turkey had the biggest change from the previous quarter with a reduction in detection rate from 9.76% to 4.8% and a query volume of 19 billion. Japan had the lowest detection rate of the countries in the top 20 which was 0.14% and a high number of queries with 165 billion. China had a detection rate of 1.26% and the second highest query volume of 199 billion.

9 McAfee Labs Threats Report, JUNE 2021 REPORT

Queries and Detections Letter from Our Chief Scientist

Percentage of Overall GTI Detections Ransomware: From Babuk to DarkSide and Beyond 1.0% 0.99% McAfee Global Threat 0.8% Intelligence 0.58% 0.6% Threats to Sectors and 0.43% Vectors 0.4% Malware Threats 0.2% 0.15% Statistics

0.0% TOP MITRE ATT&CK TECHNIQUES APT/CRIME File IP URL Overall Resources Source: McAfee Labs, 2021.

Figure 8. In Q1 2021, the daily average of file detections was 252 million About McAfee (0.99% detection rate) which increased from 243 million (1.03%) in Q4 2020. In Q1, the daily average of URL detections was 26 million detections (0.15 About McAfee Labs and % detection rate) which decreased from 35 million (0.21%) in Q4. The daily Advanced Threat Research average of IP detections, in Q1, was 79 million detections (0.43% detection rate) which increased from 63 million (0.34%) in Q4.

10 McAfee Labs Threats Report, JUNE 2021 REPORT

Threats to Sectors and Vectors Letter from Our Chief Scientist The volume of malware threats observed by McAfee Labs averaged 688 Ransomware: From Babuk threats per minute, an increase of 40 threats per minute (3%) in the first to DarkSide and Beyond quarter of 2021. McAfee Global Threat Notable Sector increases and decreases from Q4 2020 to Q1 2021 Intelligence include: Threats to Sectors and ƒ Technology 54% Vectors ƒ Education 46% Malware Threats ƒ Finance/Insurance 41% Statistics

ƒ Wholesale & Retail -76% TOP MITRE ATT&CK ƒ Public Administration -39% TECHNIQUES APT/CRIME

Resources Publicly Disclosed Security Incidents by Continent About McAfee Publicly Disclosed Security Incidents By Continent About McAfee Labs and (Number of reported breaches) Advanced Threat Research

141 227 160 191 North America 252 219

118 167 224 103 Multiple 167 153

42 39 57 36 Europe 72 103

7 7 38 13 Asia 24 37

2 7 10 8 Australia 8 11

0 50 100 150 200 250 300

Q4 2019 Q1 2020 Q2 2020 Q3 2020 Q4 2020 Q1 2021

Source: McAfee Labs, 2021.

Figure 9. Publicly disclosed incidents surged 54% in Asia from Q4 2020 to Q1 2021. Incidents increased in Asia (54%) and Europe (43%) while decreasing 13% in North America.

11 McAfee Labs Threats Report, JUNE 2021 REPORT

Publicly Disclosed Security Incidents by Country Letter from Our Chief Scientist

Targeted Countries Ransomware: From Babuk to DarkSide and Beyond

135 218 148 184 U.S. 235 McAfee Global Threat 201 Intelligence 118 167 224 Multiple 103 167 Threats to Sectors and 153 Vectors 16 11 16 8 N/A 18 30 Malware Threats

11 Statistics 17 22 26 Great Britain 26 31 TOP MITRE ATT&CK

11 TECHNIQUES APT/CRIME 7 11 Italy 10 5 Resources

9 6 6 France 19 About McAfee 35

7 7 About McAfee Labs and 12 7 India 15 Advanced Threat Research 9

6 9 12 7 Canada 17 12

6

Spain 4

5 9 7 Germany 17 10

7 10 Australia 8

6 Portugal

Japan 6

Israel 9 4

0 50 100 150 200 250

Q4 2019 Q1 2020 Q2 2020 Q3 2020 Q4 2020 Q1 2021

Source: McAfee Labs, 2021.

Figure 10. Notable increases from Q4 2020 to Q1 2021 include France (84%) and Great Britain (19%). Incidents in the United States decreased 14%. Incidents in the U.S. comprised 40% of incidents observed in the top 10 countries.

12 McAfee Labs Threats Report, JUNE 2021 REPORT

Publicly Disclosed Security Incidents by Industry Letter from Our Chief Scientist

Targeted Industry Sectors Ransomware: From Babuk to DarkSide and Beyond

61 97 83 Individual 34 McAfee Global Threat 62 65 Intelligence

50 97 Multiple 122 Threats to Sectors and 77 Industries 118 105 Vectors

45 78 56 Malware Threats Public 45 87 Statistics 53

42 44 TOP MITRE ATT&CK 40 Healthcare 65 70 TECHNIQUES APT/CRIME 69

27 Resources 36 26 Education 61 39 57 About McAfee

28 36 Finance/ 35 About McAfee Labs and 33 Insurance 27 38 Advanced Threat Research

16 23 21 Manufacturing 18 31 23

27 22 42 Technology 17 34 52

13 20

Retail/Wholesale 14 33 8

13 15 Entertainment 17 24 15

Information/ 21 Communication

Other Service Activities 11

0 30 60 90 120 150

Q4 2019 Q1 2020 Q2 2020 Q3 2020 Q4 2020 Q1 2021

Source: McAfee Labs, 2021.

Figure 11. Disclosed incidents targeting technology surged 54% from Q4 2020 to Q1 2021. Other notable industry increases include Education (46%) and Finance/Insurance (41%).

13 McAfee Labs Threats Report, JUNE 2021 REPORT

Publicly Disclosed Security Incidents by Vectors Letter from Our Chief Scientist

Attack Vectors Ransomware: From Babuk to DarkSide and Beyond 153 204 195 Malware 190 272 194 McAfee Global Threat

55 Intelligence 94 94 Account Hijacking 64 83 2 Threats to Sectors and 42 57 50 Vectors Targeted Attack 37 53 38

41 Malware Threats 53 80 Unknown 54 106 Statistics 133

24 Malicious TOP MITRE ATT&CK TECHNIQUES APT/CRIME

17 30 22 Vulnerability 16 32 Resources 81

12 12 13 About McAfee DDoS 12 12 8

5 About McAfee Labs and PoS Malware Advanced Threat Research

5 22 Spam 8

4 SQLi 8

16 16 Malicious Script 10 19 4

9 Business Email 7

8 Misconfiguration 5 12 14

Fake Social 6 Network Accounts 7 10

Zoom Bombing 6

Credential Stuffing 6 3

0 50 100 150 200 250 300

Q4 2019 Q1 2020 Q2 2020 Q3 2020 Q4 2020 Q1 2021

Source: McAfee Labs, 2021.

Figure 12. New Fake Social Network Account vectors increased 43% from Q4 2020 to Q1 2021. Targeted Attacks rose 28%. Notable vector decreases include Vulnerabilites (-153%), Account Hijacking (-98%), and Malicious Script (-79%).

14 McAfee Labs Threats Report, JUNE 2021 REPORT

Malware Threats Statistics Letter from Our Chief Scientist The first quarter of 2021 saw notable increases in several threat Ransomware: From Babuk categories: to DarkSide and Beyond ƒ Coin Miner malware increased 117% primarily due to growth in 64-bit coin miner applications McAfee Global Threat Intelligence ƒ Internet of Things (IoT) surged 55% due to Mirai Threats to Sectors and ƒ rose 38% along with the increase in Mirai Vectors

The first quarter of 2021 also was notable for decreases in several threat Malware Threats categories: Statistics

ƒ New PowerShell was down 89% due to the drop in Donoff TOP MITRE ATT&CK ƒ New Office malware decreased 87% also due to the drop in Donoff TECHNIQUES APT/CRIME

ƒ MacOS decreased 70% due to the drop in EvilQuest Resources ƒ Ransomware fell 50% due to the drop in Cryptodefense About McAfee

About McAfee Labs and Advanced Threat Research New Malicious Signed Binaries

1,500,000

1,200,000 1.2M

900,000 931K

746K 600,000 699K 694K 584K 536K 300,000

0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021

Source: McAfee Labs, 2021.

New Mac OS Malware

1,200,000 1.2M

1,000,000

800,000

600,000

400,000

200,000 18.5K 10K 14.8K 27.7K 37.9K 10.9K 0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021

Source: McAfee Labs, 2021.

15 McAfee Labs Threats Report, JUNE 2021 REPORT

Letter from Our Chief New Scientist

150,000 Ransomware: From Babuk 149K to DarkSide and Beyond 120,000 119K McAfee Global Threat 106K 90,000 98K Intelligence 90K 72K 77K Threats to Sectors and 60,000 Vectors

30,000 Malware Threats Statistics 0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 TOP MITRE ATT&CK 2019 2020 2021 TECHNIQUES APT/CRIME Source: McAfee Labs, 2021. Resources

About McAfee New iOS Malware

3,500 About McAfee Labs and Advanced Threat Research 3,000 3,249

2,500

2,000

1,500

1,000 756 758 678 618 500 188 389 0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021

Source: McAfee Labs, 2021.

New Mobile Malware

3,500,000 3.36M 3,000,000

2,500,000 2.34M 2,000,000

1,500,000 1.48M 1.54M 1.35M 1,000,000 804K 863K 500,000

0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021

Source: McAfee Labs, 2021.

16 McAfee Labs Threats Report, JUNE 2021 REPORT

Letter from Our Chief New Exploit Malware Scientist

600,000 Ransomware: From Babuk 514K 539K to DarkSide and Beyond 500,000 McAfee Global Threat 400,000 Intelligence

300,000 239K Threats to Sectors and 190K 206K 198K 214K 200,000 Vectors

100,000 Malware Threats Statistics 0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 TOP MITRE ATT&CK 2019 2020 2021 TECHNIQUES APT/CRIME Source: McAfee Labs, 2021. Resources

About McAfee New Coin Miner Malware About McAfee Labs and 8,000,000 Advanced Threat Research 7,000,000 6.05M 6,000,000 4.92M 5,000,000 4.02M 3.78M 3.64M 4.28M 4,000,000 2.79M 3,000,000

2,000,000

1,000,000

0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021

Source: McAfee Labs, 2021.

New IoT Malware

100,000 82K 79K 80,000 73K 65K 60,000 54K 53K 46K 40,000

20,000

0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021

Source: McAfee Labs, 2021.

17 McAfee Labs Threats Report, JUNE 2021 REPORT

Letter from Our Chief New Office Malware Scientist

15,000,000 Ransomware: From Babuk to DarkSide and Beyond 12,000,000 12.83M McAfee Global Threat

9,000,000 Intelligence

Threats to Sectors and 6,000,000 Vectors 4.29M 3,000,000 3.45M Malware Threats 190K 332K 1.70M 1.62M Statistics 0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021 TOP MITRE ATT&CK TECHNIQUES APT/CRIME Source: McAfee Labs, 2021. Resources

New JavaScript Malware About McAfee

8,000,000 About McAfee Labs and Advanced Threat Research 7,000,000

6,000,000 6.27M 5,000,000 5.03M 4,000,000

3,000,000 2.99M 2,000,000 2.42M 2.2M 2.06M 1.94M 1,000,000

0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021

Source: McAfee Labs, 2021.

New PowerShell Malware

15,000,000

12,000,000 12.6M

9,000,000

6,000,000

4.1M 3,000,000 3.4M

81K 196K 1.5M 1.4M 0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021

Source: McAfee Labs, 2021.

18 McAfee Labs Threats Report, JUNE 2021 REPORT

Letter from Our Chief New Malware Scientist

100,000,000 Ransomware: From Babuk to DarkSide and Beyond 87.6M 80,000,000 84.9M McAfee Global Threat 75.8M 77.0M 60,000,000 67.6M Intelligence 55.0M 49.2M Threats to Sectors and 40,000,000 Vectors

20,000,000 Malware Threats Statistics 0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 TOP MITRE ATT&CK 2019 2020 2021 TECHNIQUES APT/CRIME Source: McAfee Labs, 2021. Resources

About McAfee Total Malware

2,000,000,000 About McAfee Labs and Advanced Threat Research

1,500,000,000 1.42B 1.51B 1.34B 1.26B 1.16B 1.21B 1,000,000,000 1.08B

500,000,000

0 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2019 2020 2021

Source: McAfee Labs, 2021.

19 McAfee Labs Threats Report, JUNE 2021 REPORT

TOP MITRE ATT&CK TECHNIQUES APT/CRIME Letter from Our Chief Scientist Techniques Tactics (Top 5 per Tactic) Comments Ransomware: From Babuk to DarkSide and Beyond Initial Spearphishing Link Spear Phishing (Link and Attachment) moved Access back to the top 5 used Techniques closely followed by Exploiting Public facing Application. McAfee Global Threat Exploiting Public facing Application reamained Intelligence in the top 3 Initial Access techniques due to the major Exchange Vulnerabilities Threats to Sectors and being released which affected thousands of Vectors organizations worldwide. Spearphishing Malware Threats Attachment Statistics Exploit public facing application TOP MITRE ATT&CK Phishing TECHNIQUES APT/CRIME

Resources Execution Windows Command Shell Commandline and scripting interpreter usage, such as Windows Command shell and PowerShell, were the top used techniques About McAfee by adversaries to execute their payloads. Command line scritps are often incorporated into About McAfee Labs and Pentesting frameworks like Cobalts Strike for Advanced Threat Research additional ease of excecution. Malicious File Powershell User execution An adversary may rely upon specific actions by a user in order to gain execution of a malicious binary. This technique is often linked the the Initial Access technique (Spear) Phishing. Visual Basic Persistence Windows Service Registry Run Keys / Startup Folder Scheduled Task Web Shell DLL Side-Loading Privilege Windows Service Escalation Process Injection Process injection remains to be one of the top Privilege Escalation techniques. Registry Run Keys / Startup Folder Scheduled Task Process Hollowing Defense Deobfuscate/Decode Evasion Files or Information Obfuscated Files or information Packing Process Injection File Deletion Modify Registry

20 McAfee Labs Threats Report, JUNE 2021 REPORT

Techniques Letter from Our Chief Tactics (Top 5 per Tactic) Comments Scientist Credential Keylogging Ransomware: From Babuk Access to DarkSide and Beyond Credentials from Web Common opensource pentest tools like Lazange, Browsers Grabff and most RAT tools have an ability McAfee Global Threat to extract credentials from web browsers. The usage of Lazange and Grabff have been Intelligence obeserved in various Ransomware attacks in Q1 2021. Threats to Sectors and Brute Force Vectors OS Credential Dumping Malware Threats Credentials from Password Stores Statistics Discovery System Information TOP MITRE ATT&CK Discovery TECHNIQUES APT/CRIME File and Directory Discovery Resources Process Discovery System Network About McAfee Configuration Discovery System Owner/User About McAfee Labs and Discovery Advanced Threat Research Lateral Remote File Copy Movement Remote Desktop Protocol SMB/Windows Admin Shares Exploitation of Remote Services SSH Collection Data from Local System Screen Capture Keylogging Archive Collected Data Clipboard data Command Web protocols and Control Ingress Tool transfer Standard Encoding Symmetric Cryptography Application Layer Protocl

21 McAfee Labs Threats Report, JUNE 2021 REPORT

Techniques Letter from Our Chief Tactics (Top 5 per Tactic) Comments Scientist Exfiltration Exfiltration Over Ransomware: From Babuk Command and Control Channel to DarkSide and Beyond

Exfiltration Over McAfee Global Threat Alternative Protocol Intelligence Automated Exfiltration Exfiltration over Threats to Sectors and unencrypted/obfuscation Vectors Non-C2 Protocol Exfiltration to Cloud Tools like MEGAsync and Rclone are commonly Malware Threats Storage used by adversaries to exfiltrate sensitive data from a victim’s network to a cloud storage. Both Statistics tools were utilized by multiple ransomware groups like REvil, Conti, DarkSide. TOP MITRE ATT&CK Impact Data Encrypted for TECHNIQUES APT/CRIME impact Resource Hijacking Resources Service Stop About McAfee System Shutdown/ Reboot About McAfee Labs and Direct Network Flood Advanced Threat Research

Table 1. Notes from the Top MITRE ATT&CK Techniques Apt/Crime from Q1 2021: Spear Phishing moved back into the top 5-used techniques. It was closely followed by Exploiting Public-facing Application, which remained in the top 3 of Initial Access techniques due to the release of major Microsoft Exchange Vulnerabilities and thousands of affected organizations worldwide. Command line and scripting interpreter usage, such as Windows Command shell and PowerShell, were the most frequently used techniques by adversaries to execute their payloads. Command line scripts are often incorporated into Pentesting frameworks such as Cobalts Strike for additional ease of execution. An adversary may rely upon specific actions by a user to gain execution of a malicious binary. This technique is often linked to the Initial Access technique (Spear) Phishing. Process injection remains one of the top Privilege Escalation techniques. Common open source Pentest tools such as Lazange, Grabff and most RAT tools have an ability to extract credentials from web browsers. The usage of Lazange and Grabf have been observed in various Ransomware attacks in Q1 2021. Tools such as MEGAsync and Rclone are commonly used by adversaries to exfiltrate sensitive data from a victim’s network to a cloud storage. Both tools were utilized by multiple ransomware groups like REvil, Conti and DarkSide. Data encrypted for impact technique can almost solely be attributed to Ransomware, one of the top cyber threats of Q1 2021.

22 McAfee Labs Threats Report, JUNE 2021 REPORT

Resources Letter from Our Chief Scientist To keep track of the latest threats and research, see these McAfee Ransomware: From Babuk resources: to DarkSide and Beyond

McAfee COVID-19 Dashboard—Updated COVID-19 related malicious file McAfee Global Threat detections including countries, verticals, and threat types. Intelligence

MVISION Insights Preview Dashboard—Explore a preview of the only Threats to Sectors and proactive solution to stay ahead of emerging threats. Vectors

McAfee Threat Center—Today’s most impactful threats have been Malware Threats Statistics identified by our threat research team. TOP MITRE ATT&CK McAfee Labs and Researchers on Twitter TECHNIQUES APT/CRIME

McAfee Labs Resources

Raj Samani About McAfee

Christiaan Beek About McAfee Labs and Advanced Threat Research John Fokker

Steve Povolny

Eoin Carroll

Thomas Roccia

Douglas McKee

23 McAfee Labs Threats Report, JUNE 2021 REPORT

About McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. By building solutions that work with other companies’ products, McAfee helps businesses orchestrate cyber environments that are truly integrated, where protection, detection and correction of threats happen simultaneously and collaboratively. By protecting consumers across all their devices, McAfee secures their digital lifestyle at home and away. By working with other security players, McAfee is leading the effort to unite against cybercriminals for the benefit of all.

www..com

About McAfee Labs and Advanced Threat Research

McAfee Labs, led by McAfee Advanced Threat Research, is one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership. With data from millions of sensors across key threats vectors—file, web, message, and network—McAfee Labs and McAfee Advanced Threat Research deliver real-time threat intelligence, critical analysis, and expert thinking to improve protection and reduce risks.

www.mcafee.com/enterprise/en-us/threat-center/mcafee-labs.html

Subscribe to receive our Threat Information.

6220 America Center Drive McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its San Jose, CA 95002 subsidiaries in the US and other countries. Other marks and brands may be claimed as the 888.847.8766 property of others. Copyright © 2021 McAfee, LLC. 4752_0621 JUNE 2021 www.mcafee.com

24 McAfee Labs Threats Report, JUNE 2021