Nastiest Malware 2019

  • 28 October 2019
  • 2 replies
Nastiest Malware 2019
Userlevel 7
Badge +48

It’s that time of year again. The leaves have changed, ghouls and goblins are about to take to the streets demanding tricks or treats, and Webroot is shining the light on the nastiest malware threats lurking online in 2019. It’s not names like Jason or Freddy that should curdle your blood this October, but TrickBot, Crysis, and the dreaded “Man in the Mirror.”

From zombie botnets to insidious email infiltrators, here are 2019’s top malware threats to watch out for.

Be sure to catch our LIVE Q&A on November 13th at 1:00PM MT

VOTE on the Nastiest Malware 

Read my interview with a psychologist and professor about why we click


Botnets have continued dominate the infection attack chain in 2019. No other type of malware was responsible for delivering more ransomware and cryptomining payloads. Here are the top offenders:

  • Emotet, the most prevalent malware of 2018, held onto that notorious distinction into 2019. While it was briefly shut down in June, Emotet returned from the dead in September of this year. It remains the largest botnet to date, delivering various malicious payloads.
  • Trickbot has been partnering with banking Trojan groups like IcedID and Ursif in 2019. Its modular infrastructure makes it a serious threat for any network it infects and, when combined with Ryuk ransomware, it's one of the more devasting targeted attacks of 2019.
  • Dridex was once one of the most prominent banking trojans. Now it acts as an implant in the infection chain with the Bitpaymer ransomware and is achieving alarming success.


Ransomware remains a threat, adopting a more targeted model last year. Small and medium-sized businesses (SMBs) are easy prey and make up most of its victims. Whether gaining access through targeted phishing attacks or by brute forcing unsecured remote desk protocol (RDP), Ransomware is as effective as ever and isn't going anywhere.

  • Emotet, Trickbot, and Ryuk, with one leading to the next, make up the most frightening ransomware triple threat. In terms of financial damage, this is probably the most successful chain of 2019. With more targeted, reconnaissance-based operations, they now assign a value to targeted networks post-infection will extort them accordingly after deploying ransomware.
    • Through the first half of 2019, Trickbot was often delivered as secondary payload after Emotet. Ryuk infections, typically delivered by Trickbot, then resulted in mass encryption of entire networks.
    • Dridex is now being used as an implant in the Bitpaymer ransomware infection chain. We have observed it also delivered as a second=stage payload following Emotet.
  • GandCrab is one of the most successful examples of ransomware-as-a-service (RaaS) to date, with profits in excess of $2 billion. We believe they are closely tied to the Sondinokibi/REvil ransomware variant.
  • Sodinokibi/REvil arose after the retirement of GandCrab. Many of their affiliates seem to be having decent success targeting MSPs.
  • Crysis (aka Dharma) makes its second consecutive appearance on our Nastiest Malware list. This ransomware was actively distributed in the first half of 2019, with almost all infections we observed distributed through RDP compromise.

Cryptomining & Cryptojacking

The explosive growth cryptojacking sites experienced from 2017-2018 is gone. The campaigns running today are shells of their former selves. With around 5% month-over-month decline since Bitcoin peaked in early 2018, the threat has since atrophied. But we don't anticipate cryptomining will die entirely. It's still low-risk, guaranteed money that’s less "malicious” than ransomware. For instance, though Coinhive shutdown in March, Cryptoloot and CoinImp still saw growth from April through June. Cryptomining payloads also declined this year, thought they fared better than cryptojacking campaigns. Almost all cryptomining campaigns use XMRrig, which is an opensource miner that mines Monero with great flexibility.

  • Hidden Bee is an interesting exploit delivering cryptomining payloads. First seen last year with Internet Explorer exploits, it has now evolved into payloads inside JPEG and PNG images through steganography and WAV media formats flash exploits.
  • Retadup was a cryptomining worm with over 850,000 infections. It was removed in August by Cybercrime Fighting Center (C3N) of the French National Gendarmerie when they took control over the malware’s command and control server.

Your Inbox

We saw email-based malware campaigns grow in their complexity and believability dramatically this year. Phishing became increasingly more personalized and extortion emails have begun claiming to have captured lude behavior using compromised passwords.

  • The “man in the mirror.” It’s spooky knowing the biggest security concern at the office is probably one of the people at the office, not a hacker in some remote location. A lack of best practices like poor domain administration, being reactive not proactive, reuse and sharing of passwords, and lack of multi-factor authentication all mean the bad may already be in the house.
  • Business email compromise (BEC) is on the rise with email conversation hijacking and deep fakes, often targeting individuals for sending payments or purchasing gift cards and using spoof email accounts impersonating executives or other colleagues. They are designed to trick victim info giving up wire transfers, credentials, gift cards, and more. BEC is up 100% this year and has caused over $26 billion in losses over the past 3 years.

2 replies

Userlevel 2
Badge +2

Hidden Bee :bee:


really interesting topic, cant wait