Check Point Software Technologies Ltd., a cybersecurity platform provider of AI-based solutions delivered through the cloud, has released its Global Threat Index for August 2024. The list reveals that ransomware remains a dominant force, with RansomHub holding the position as the top team in the division.
This Ransomware-as-a-Service (RaaS) operation has expanded rapidly since rebranding as Knight ransomware, breaching more than 210 victims worldwide. Meanwhile, Meow ransomware emerged, shifting from encryption to selling stolen data.
Last month, RansomHub cemented its position as the top ransomware threat, as detailed in a joint report by the FBI, CISA, MS-ISAC and HHS. This RaaS operation attacks systems in Windows, macOS, Linux and especially VMware ESXi environments, using sophisticated encryption techniques.
August also saw the rise of the Meow ransomware, which for the first time secured second place on the top ransomware list. Derived from a variant of the Conti ransomware, Meow has shifted its focus from encryption to data extraction, turning the extortion site into a data-leak marketplace. In this model, stolen data is sold to the highest bidder, deviating from traditional ransomware extortion tactics.
"The emergence of RansomHub in August as the top ransomware threat highlights the growing sophistication of Ransomware-as-a-Service operations," said Maya Horowitz, VP of Research at Check Point Software. "Organizations need to be more vigilant now than ever. The rise of the Meow ransomware highlights the shift to data leakage markets, signaling a new method of profit for ransomware operators, where stolen data is increasingly sold to third parties, rather than simply posted online. As these threats evolve, businesses must remain vigilant, adopt proactive security measures and continually strengthen their defenses against increasingly sophisticated attacks.”
Top malware families
*The arrows refer to the change in ranking compared to the previous month.
- ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. Captures payloads to disk before they are ejected. FakeUpdates led to further compromise through several additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.
- ↔ Androxgh0st - Androxgh0st is a botnet that targets Windows, Mac and Linux platforms. For the initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- PHPUnit, Laravel Framework and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.
- ↑ Phorpiex - Phorpiex is a botnet known for distributing other malware families through spam campaigns, as well as powering large-scale Sextortion campaigns.
Top exploited vulnerabilities
- ↔ Command Injection Over HTTP (CVE-2021-43936,CVE-2022-24086) – Command Injection over HTTP vulnerability has been reported. A remote attacker can exploit it by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↔ Zyxel ZyWALL Command Injection (CVE-2023-28771( - Command injection vulnerability in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary operating system commands on the affected system.
- ↔ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-1375) - HTTP headers allow the client and server to pass additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.
Best Mobile Malware
In August Joker was ranked 1st most prevalent mobile malware followed by Anubis and Hydra.
- ↔ Joker – An android Spyware on Google Play, designed to steal SMS messages, contact lists and device information. In addition, the malware unknowingly registers the victim for premium services on advertising websites.
- ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was first detected, it has acquired additional features such as a Remote Access Trojan (RAT) feature, a keylogger, audio recording capabilities, and various ransomware features. It has been spotted in hundreds of different apps available in the Google Store.
- ↑ Hydra – Hydra is a banking Trojan designed to steal banking credentials by asking victims to enable dangerous privileges and access every time they log into any banking application.
Top-Attacked Industries Globally
This month the Education / Research remained the No. 1 attacked industry worldwide, followed by Government/Military sector and Health.
- Education / Research
- Government/military
- Health
Best Ransomware Groups
- RansomHub – RansomHub is a Ransomware-as-a-Service (RaaS) business that emerged as an upgraded version of the previously known Knight ransomware. RansomHub, which emerged in early 2024 on underground cybercrime forums, quickly gained notoriety for its aggressive campaigns targeting various systems, including Windows, macOS, Linux, and especially VMware ESXi environments, using sophisticated encryption methods.
- Meow - Meow Ransomware is a variant based on the Conti ransomware known for encrypting a wide range of files on compromised systems and appending the '.MEOW' extension to them. It leaves a ransom note called "readme.txt", which instructs victims to contact the attackers via email or Telegram to negotiate a ransom payment. Meow Ransomware spreads through various mediums, such as unprotected RDP configurations, email spam, and malicious downloads, and uses the ChaCha20 encryption algorithm to lock files, excluding ".exe" files and text files.
- lock bit3 - LockBit is a ransomware, operating in a RaaS model, that was first reported in September 2019. LockBit targets large enterprises and government agencies from various countries and does not target individuals in Russia or the Commonwealth of Independent States.
The full list of the top ten malware families in August can be found on the Check Point blog.