Announcement of 15. August 2022

G DATA threat report: Significant increase in Linux ransomware

Number of averted cyber attacks increases by more than 27 percent following the start of the war in Ukraine

There was a significant increase in Linux ransomware in the first half of 2022 - this is reflected in the new threat report by G DATA CyberDefense. Companies and private users alike are being targeted by cyber criminals. The IT security experts also registered an increase in cyber attacks generally following the start of the war in Ukraine. The Malware Top 10 is headed by the remote access Trojan DC-RAT.

Currently, cyber criminals in Germany are making conspicuous use of Linux ransomware to attack network attached storage (NAS) devices. The threat report of January 2022 by the Bochum IT security experts shows that QNAPCrypt, QLocker and Deadbolt are particularly widespread. Companies and private users alike who use such devices for backups are affected. The ransomware not only encrypts the data, but also exfiltrates it. In this way, cyber criminals put their victims doubly under pressure. If they do not pay the required ransom, the attackers publish the data. Since a large part of the ransomware gets through security holes in the NAS devices’ software, users should immediately install updates and protect their devices.

The number of cyber attacks has only increased in the short term as a result of the war in Ukraine. For example, the G DATA threat report for February 2022 shows an increase of more than 27 percent in the number of averted attack attempts compared to January. In April, however, the number of averted attacks dropped significantly, by more than 18 percent compared to March. By the middle of the year, the number of averted attacks had returned to normal and was back at the level it was before the war in Ukraine began.

Tim Berghoff

The so-called cyber war is unusual. Contrary to the fears of many security experts, there have hardly been any concentrated attack attempts against critical infrastructures in Germany. Just the number of normal malware attack attempts briefly increased. However, the warnings were a wake-up signal for many companies to check their IT security and improve protection.

Tim Berghoff

Security Evangelist at G DATA CyberDefense

The current figures also prove that cyber criminals were increasingly targeting companies in the first quarter. Despite the sharp decline from April to June, the figures remain at a high level. The number of averted attack attempts on companies fell by more than 25 per cent within three months. The decline for private users was only 5.4 per cent.

Malware Top 10

The Malware Top 10 has changed significantly compared to the second half of 2021. Seven of the ten most common malware strains are new. As in previous years, the ranking is dominated by remote access Trojans. These enable remote control and administrative monitoring of a third-party computer without the user noticing. Among other things, attackers can view the victim's desktop, log keystrokes, access the camera, copy the login information stored in browsers or upload and download files. Regarding the first-placed malware, DC-RAT, there has been an upsurge in new samples because the malware generates samples independently and randomly. The danger from DC-RAT has therefore not increased at all; rather, sandbox systems that check suspicious software are actively generating new samples and are thus creating an artificial increase. It is noticeable that both Emotet and QBot are not currently at the top of the rankings.

The Malware Top 10 at a glance




Proportion in percent


1 (-)



Remote Access Trojan

2 (-)



Software Bundler

3 (3)



Remote Access Trojan

4 (-)



Banking Trojans

5 (1)



Information Stealer

6 (-)



Remote Access Trojan

7 (-)




8 (-)



Information Stealer

9 (6)



Remote Access Trojan

10 (-)



Remote Access Trojan

Previous year’s position in brackets

New attack routes into networks

Another result of the current G DATA report is that attackers are constantly looking for and finding new ways to attack systems. They are increasingly using file formats such as RAR, ZIP and IMG files to send macro-enabled documents. Rather than Office documents, these contain ISO, Batch, Powershell or EXE files, which they use to bypass Microsoft's macro blocking protection system and spread malware.

Despite the reduced numbers, the risk to companies and users of falling victim to a cyber attack remains high. Current vulnerabilities in applications open the door to criminals just as much as inattentive employees who open attachments in phishing emails.


Announcement of 15. August 2022