Picus Security Red Report: 2021 malware variants are more sophisticated, more evasive and more likely to encrypt data

San Francisco US, 1st December 2021 – Picus Security, the pioneer of Breach and Attack Simulation (BAS) technology, today announced the release of its 2021 Red Report. The report is a comprehensive analysis of attacker behavior and highlights the top 10 most widely seen attack techniques over the last 12 months

In compiling its research, Picus analyzed more than 200,000 malware samples to identify the behaviors they exhibit. In total, the company’s researchers observed 2.2 million malicious actions, which they mapped to the MITRE ATT&CK framework, a widely used knowledge base of adversary tactics and techniques

The Red Report 2021 Top Ten list of the most common ATT&CK techniques demonstrates how cybercriminals have shifted towards ransomware over the last 12 months. In addition to being more likely to encrypt a target’s data, it shows that malware variants in 2021 are increasingly sophisticated and evasive, making it harder to detect and respond to them.

Key findings of the Red Report 2021 include:

• Malware is rapidly becoming more sophisticated. In 2020, Picus reported that, on average, 9 malicious actions were exhibited by a single malware file, a figure which has risen to 11 actions per file in 2021.
• 2021 has seen a spike in malicious malware designed to encrypt a target’s data. The ATT&CK technique ‘Data Encrypted for Impact’ enters the Red Report Top Ten for the first time, with one in five malware variants now able to encrypt files.
• Five of the top ten techniques observed by Picus are categorized under ATT&CK’s “Defense Evasion” tactic. Two-thirds of malware files include at least one such technique, underlining attackers’ determination to avoid detection.
• 5% of malware files analyzed in the report exhibit virtualization/sandbox evasion tactics.  These malware variants can change their behavior in a virtual machine environment (VME) or sandbox, which helps them evade detection and analysis.
• ‘Command and Scripting Interpreter’ is the most prevalent ATT&CK technique observed by Picus, exhibited by a quarter of all malware samples analyzed. This demonstrates the extent to which attackers are abusing legitimate applications like PowerShell to execute their commands, rather than creating custom tools.

Picus’ in-depth analysis of hundreds of thousands of real-world threat samples were collected from a wide variety of sources, including commercial and open-source threat intelligence services, security vendors, researchers, malware sandboxes, and forums.

"Variant has become a word that strikes panic into most people, but security teams have been concerned by the threat of new malware variants for years,” said Dr. Süleyman Özarslan, co-founder of Picus Security and VP of Picus Labs.

“The 2021 Red Report top ten highlights the proliferation of ransomware and the extent to which attackers continue to vary their approach, including using defense evasion and other sophisticated techniques to achieve their objectives.”

“Only by adopting a threat-centric approach can organizations fully understand how prepared they are to defend against the most common attack techniques and develop the capabilities needed to prevent, detect and respond to them continuously.”

The findings of the Red Report will be discussed in more detail at SOCReload 2021, Picus Security’s virtual event for security professionals which is taking place on 1^st December from 14.00 GMT. The theme of this year’s event is ‘The Modern SOC’ and features speakers from organizations including SANS, MCAFEE, VMWARE, DARKTRACE, SECURONIX, CISCO TALOS and more.

Notes for editors

Between October 2020 - October 2021, Picus Labs analyzed 231,507 unique files. 204,954 of these files (89%) were categorized as malicious. 2,197,025 actions were extracted from these files and mapped to 1,871,682 MITRE ATT&CK techniques. To compile the Red Report 2021 Top Ten, Picus Labs researchers determined how many malicious files in the dataset exhibited each technique. 

The Picus Red Report 2021 Top Ten is as follows:

1. T1059 Command and Scripting Interpreter
Execution technique present in 26% of malware files

Between October 2020 - October 2021, Picus Labs analyzed 231,507 unique files. 204,954 of these files (89%) were categorized as malicious. 2,197,025 actions were extracted from these files and mapped to 1,871,682 MITRE ATT&CK techniques. To compile the Red Report 2021 Top Ten, Picus Labs researchers determined how many malicious files in the dataset exhibited each technique. 

2. T1055 Process Injection
Defense, evasion and privilege Escalation technique present in 21% of malware files

The injection of code into processes in order to evade process-based defenses and/or elevate privileges. Execution via process injection can evade security controls since the execution is masked under a legitimate process.

3. T1486 Data Encrypted for Impact
Impact technique present in 19% of malware files

The encryption of a target’s data in order to interrupt availability to system and network resources.  Ransomware operators use this technique to extract money from victims in exchange for decryption.

4. T1218 Signed Binary Proxy Execution
Defense and evasion techniques present in 16% of malware files

The use of trusted digital certificates to bypass the process and/or signature-based defenses.

5. T1003 OS Credential Dumping
Credential access technique present in 14% of malware files

The dumping of credentials to obtain account login and credential material. Credentials can then be used to perform lateral movement and access restricted information

6. T1027 Obfuscated Files or Information
Defense and evasion technique present in 14% of malware files

The dumping of credentials to obtain account login and credential material. Credentials can then be used to perform lateral movement and access restricted information.

7. T1003 Scheduled Task/Job
Execution, persistence and Privilege Escalation technique present in 10% of malware files

The abuse of task scheduling functionality to facilitate initial or recurring execution of malicious code – for instance at system startup or on a scheduled basis.

8. T1036 Masquerading
Defense and evasion technique present in 14% of malware files

The manipulation of artifacts to make them appear legitimate or benign. For instance, changing the name, location or metadata of an object to evade security controls and user observation.

9. T1082 System Information Discovery
Discovery technique present in 8% of malware files

Attempts to obtain detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

10.T1497 Virtualization/Sandbox Evasion
Defense Evasion and Discovery technique present in 6% of malware files

The detection and circumvention of virtualization and sandbox environments. Malware may change behavior if in a virtual machine environment (VME) or sandbox, to conceal its core functions.

About Picus Security

Picus Security is a leading Breach and Attack Simulation (BAS) vendor, enabling organizations to continuously test, measure and enhance the effectiveness of their cyber security controls through automated and intelligence-led security testing. Picus has been named a ‘Cool Vendor’ by Gartner and is cited by Frost & Sullivan as one of the most innovative players in the BAS market. 

For more information, visit www.picussecurity.com. 

Media contact
Mike@decodedcomms.com
Decoded Comms