Announcement of 24. January 2020

Malware Top 10 in 2019: Attacks every few seconds

Nine new malware samples threaten PCs and networks every minute

Cyber defence specialists at G DATA identified more than 4.9 million malware samples in 2019. The cyber criminals were aiming to read passwords and confidential data or encrypt data and systems. G DATA has compiled the ten most active malware families in the current annual Top Ten.

Tim Berghoff

Anti-virus providers’ technology is getting better and better, identifying new attacks on company networks or private PCs and laptops every day. Consequently, malware authors are forced to use sophisticated methods to protect their malware from detection by protection programs - it’s an endless cat-and-mouse game.

Tim Berghoff

Security Evangelist bei der G DATA CyberDefense AG

However, this is not always successful. Last year, experts at G DATA discovered more than 13,500 variants of known malware families every day. By far the most active was the GandCrab ransomware. The malware analysts in Bochum identified over 408,000 versions - on average more than 1,100 new variants per day. The ransomware encrypts data and networks and demands a ransom from users. Only then can the data be decrypted again. However, the group behind the malware had already officially ended its activities on the 1st of June 2019. Even so, it appears that the system is still active and continuing to distribute the malicious code.

In second and third places are njRAT, with 208,000 versions, and BlackShades, with 193,000. Both belong to the group of Remote Access Trojans, which cyber criminals use to take administrative control of the target system. The best-known malware family, Emotet, ranks sixth in the annual charts, with over 70,800 different samples. An average of 194 new versions of the all-purpose cyber crime weapon appeared every day. Emotet merely acts as a door opener and provides cyber criminals with access to IT networks. For comparison, in the same period last year, malware analysts discovered around 28,000 new variants.

The Malware Top Ten at a glance:

Platz Name Variants Type
1 GandCrab 408,182 Ransomware
2 njRAT 208,235 Remote Access Trojaner
3 BlackShades 193,105 Remote Access Trojaner
4 Tinba 127,589 Banking-Trojaner
5 AveMariaRAT 102,374 Remote Access Trojaner
6 Emotet 70,833 Malware Distributor
7 Shifu 61,225 Banking-Trojaner
8 AZORult 60,834 Information-Stealer
9 SakulaRAT 53,799 Remote Access Trojaner
10 Nanocore 50,535 Remote Access Trojaner

Steal data, encrypt systems

Five of the ten most active malware families are Remote Access Trojans (RATs). This means that the malware enables remote control and administrative monitoring of a third-party computer, without the user noticing. The manipulation capabilities range from spying on passwords and reading confidential data to deleting the hard drive or encrypting files. Banking Trojans such as Tinba or Shifu are also still active. They use man-in-the-browser technology to read login data for banking applications.

It is noticeable that a large part of the malware has been in circulation for several years. For example, SakulaRAT and Tinba were first discovered in 2012, and Nanocore in 2013. This is also related to the concealment techniques the cyber criminals use to camouflage the malware. The most recent malware in the Top 10 is AveMariaRAT. This RAT was first identified by security researchers in 2018. A total of 332 different malware families are currently classified in G DATA's databases.

No end to Emotet

At the end of the year, the former banking Trojan Emotet was back in the limelight. After things had become quiet with the all-purpose cyber crime weapon in mid-2019, cyber criminals have become much more active again since the autumn. In Germany, public administrations, universities and, once again, hospitals were among the victims of the sophisticated attacks. “The initial spam emails look very authentic, so many users regard them as genuine and open the infected attachment,” says Tim Berghoff. “Users then click on the infected attachment and disaster strikes.” The malware automatically downloads other malware such as Trickbot and Ryuk to spy on additional access data and encrypt the system. Emotet even converts PowerShell and uses it as a malicious function. The result is that affected companies and administrations are left without IT and are offline for days.


Announcement of 24. January 2020