2019 was a rough year in the cyber security realm. Attack vectors continued to broaden and develop, while attacks became more complex. Last year also saw some shifts in attack focus and targeting, such as a noted rise in ransomware attacks against enterprises and governments, while consumer targeting with ransomware decreased.

Since its beginning, 2020 has demanded the world to cope with a dramatic, hard-to-predict global pandemic. The cyber realm has been affected accordingly, with many threat actors determined to exploit the current situation, and security providers and alliances working hard to combat this exploitation. COVID-19 campaigns create new infection opportunities in addition to common ones, and it is important to keep a close watch on the development of prevalent malware families that are continuing to infect victims in a variety of different campaign types.

According to Webroot’s third annual Nastiest Malware list, these are the worst variants in each threat category.


Many common ransomware variants are widely distributed via spam campaigns, yet Ryuk is a dangerous ransomware used for tailored attacks targeting enterprises. Each attack is customized to ensure foolproof infection chances, aiming for large organizations and government organizations to secure grand ROIs. Ryuk is said to be the costliest type of ransomware, asking for a ransom amount over 10 times the average amount.

Ryuk emerged in late 2018 as a modified version of Hermes ransomware. The new variant is similar to its predecessor, encrypting network devices and deleting shadow copies on the victim machines, though there are noted differences in their file handling logic and encryption key creation.

The ransomware usually infects victims via a phishing email armed with a malicious attached file. This file downloads a dropper, which at first downloads Trickbot or Emotet, which will be used to compromise the system using reconnaissance and lateral movement functions. Once the credentials have been harvested and the critical areas of the system reached, Ryuk is loaded, and will proceed to encrypt the victim’s assets and display its ransom note.

Sadly, this ransomware is quite successful at reeling in large ransom amounts from its victims. A few months ago, Ryuk attacks cost the state of Florida over $1 million after the attacks led to cities being completely shut down, with police and basic supply services badly impaired. In another attack, Ryuk held Tribune Publishing captive, disrupting all their publications operations during the Christmas holidays.


Hidden Bee

Cryptominers and cryptojackers are seen to inflate and decrease in activity in sync with bitcoin price changes. These attack types peaked alongside the bitcoin price in 2018, and although a major drop was noted at the end of that year, bitcoin prices have hit some relatively good numbers in 2020, deeming cryptomalware attacks worthwhile.

The Chinese cryptominer Hidden Bee has a complex structure, making it a unique threat in the cyber realm. This malware runs silently, so that the only way a victim can realize that their system has been compromised is by identifying increased processor usage. A further investigation will show that the malware payloads have been injected in to several applications, showing atypical executable elements in those processes.

Hidden Bee has been seen distributed via malvertising on adult sites, redirecting visitors to an exploit kit landing page or a malicious loader. In these attacks, the threat actors use randomization of the URL path to avoid detection by security products and antivirus programs. of the While Hidden Bee debuted using the underminer exploit kit, which utilizes Internet Explorer and Flash Player exploits, it has evolved to the use of payloads inside WAV files, as well as hiding them in JPEG and PNG images. After infecting the victim’s system, the attackers ensure persistence by installing bootkit that will run the miner every time the system restarts.



The Department of Homeland security has deemed Emotet one of the most costly and destructive malware variants, sometimes costing more than $1 million per each incident recovery. The malware, which was discovered in 2014, originally debuted as a banking Trojan, though today it has become a sophisticated, multi-functional malware. It does not show mercy on any sector, attacking both government and private sectors, individuals as well as organizations.

Emotet uses advanced evasion techniques, and the malware changes quite often, making it hard to detect for antivirus software. The malware also boasts worm-like capabilities, allowing it to spread laterally and infect other machines in the compromised network. Utilizing its spreading abilities, Emotet may download other malware variants in the network, such as AZORult, IcedID, Ryuk, and TrickBot, or add the infected machines to a botnet.

Emotet is primarily spread via malspam emails in a variety of different campaigns. In May of last year, the Emotet C&C servers were taken down, raising questions about the future of the malware and botnets. But Emotet didn’t keep its followers waiting for too long, and by September the Emotet threat actors returned to full-force activity with the re-establishment of communications with the Emotet botnets and new malspam infection campaigns.

ThreatSTOP protects our users from these threats. If you want to protect yourself, make sure that our Core Threats target bundle is enabled in your policy. We also recommend enabling our Ransomware, Botnets, and Cryptomining bundles to broaden your coverage against the some of the most prevalent threats today.


Due to the impact of novel Coronavirus (COVID-19), ThreatSTOP is offering 3 months of MyDNS free, or until the stay at home orders expire. Whichever is longer. With the COVID-19 crisis comes an unprecedented transition to a work from home workforce, and a massive increase in cyber attacks. Because people need to work from home, we want to provide the cyber security protection they should have at work, for free.


Unlike other solutions that send all your data or DNS queries to their Cloud, creating privacy issues and potentially exposing critical company data to hacking and theft through man-in-the-middle attacks, our MyDNS puts a DNS Firewall enabled DNS server onto your device, keeping your traffic under your control and preventing DNS hijacking by enforcing DNSSEC.

Easy and quick to set up, no hardware, no contracts or obligations, and we're here to help.

Learn More