Get The Latest Insights

By Jessica Ellis | July 23, 2021

In Q2, ransomware made headlines with multiple high-profile attacks and tactics. The largest infrastructure shutdown in U.S. history brought the East Coast to a halt, operators doubled up on ransomware strains, and reported attacks are on track to beat 2020, with numbers already surpassing Q1 by 38%.

As ransomware continues to drive data loss and fraud for enterprises and their brands, PhishLabs is monitoring payload families reported in user inboxes. Below we break down the top malware targeting enterprises in Q2.

The Qbot banking trojan was the leading payload in Q2, reported 54.1% of the time. This is a dramatic increase from last quarter, where Qbot reports were negligible. Qbot is a VM-aware banking trojan that is well-known for email thread hijacking, a technique where the malware inserts itself into previously legitimate email threads. This tactic adds credibility to attacks by convincing victims they are interacting with an existing conversation. Qbot is also known as Qakbot and has been around for more than a decade.

Q2 Payload Volume

The recent increase in Qbot may be attributed to strategic partnerships between Qbot operators and prominent ransomware families such as REvil and Egregor. However, with REvil’s infrastructure and websites now offline, it is unclear if Qbot numbers will be affected.

ZLoader had the second-highest volume in Q2, accounting for 9.52% of reported payloads. This drop follows a significant presence in Q1, where a one-day spike in activity drove ZLoader volume to almost 62% of the payloads reported. ZLoader is a popular banking trojan and malware-as-a-service (MaaS).

Formbook numbers were almost identical to ZLoader, accounting for just over 9% of malware volume. Formbook is a relatively low-cost MaaS that has been active since 2016. Formbook operators harvest information via a variety of methods including keylogging, form grabbers, and collecting screenshots.

Noticeably lacking in volume during Q2 were Trickbot, Dridex, and BazarLoader. The combined reported volume of these three families in Q1 amounted to almost 20%. In Q2, they accounted for only 3% of reported malware.

The decline in volume of well-known families could be attributed to the recent spotlight on noisy ransomware operators and their affiliates. Government authorities have dismantled or attempted to break up particularly lucrative operations such as Trickbot, Emotet, and possibly REvil. As a result, malware families concerned with drawing unwanted attention to their activities may be lying dormant as a defense mechanism.

Additional Resources: