Can your SASE solution block these top malware?

By Mor Ahuvia, Product Marketing Manager

Malware is a go-to tactic and essential tool for attackers. According to Check Point Research’s 2023 Cyber Security Report, 32% of cyber attacks globally are based on multipurpose malware with email as the attack vector in 86% of those attacks. The most vicious malware are wipers, whose only purpose is to cause irreversible damage and destruction. More wipers were used in 2022 than were recorded in the past 30 years.

Guard Against the Latest Malware

It pays to know your enemy. The Check Point Research 2023 report categorizes four types of malware: a multi-purpose malware, infostealers, cryptominers, and mobile malware, which are described briefly below. There are many variants within each category, along with different delivery tactics. In 2022, Check Point Research identified the leading malware globally.

Figure 1: Most prevalent malware globally in 2022 – Source Check Point Research

Multipurpose Malware

This common malware includes banking Trojans and botnets. It’s often used to gain initial access to an environment, and multiple variants are often used in combination by sophisticated cyber criminals for different purposes. Emotet, initially discovered in 2014, is the most prevalent type. Other well-known multipurpose malware includes Qbot, Raspberry Robin, and the Phorpiex botnet.

Wiper Malware

Multiple new families of wiper malware appeared throughout 2022. Most were aimed at organizations and infrastructure within political rivals by hacktivists or nation-state attackers. Wipers are vicious malware designed to inflict maximum destruction. Damage to data is usually irreversible.


Stolen credentials and cookies fuel a growing underground marketplace for cyber attack services. Cybercriminals use infostealers to spread broad-based malware infections. After initial infection, they mine the data to identify corporate VPN credentials and attempt to access networks. Infostealers affected 24% of all organizations in 2022. The four most common—AgentTesla, Formbook, SnakeKeylogger and LokiBot—are also among the top six global malware.


In 2022, cryptominer malware dropped from 21% in 2021 to 16% globally. Attackers used XMRig, a legitimate open-source mining tool, for 76% of cryptomining attacks in 2022. LemonDuck is another cryptomining malware. First detected in 2019, it has extensive capabilities including credential stealing, lateral movement and the ability to drop tools for human-operated attacks.

Ransomware and Shifting Tactics

Ransomware campaigns employ multiple types of malware to carry out system commands, steal data and set the stage for the final ransom demand. In the past, individual ransomware actors automated campaigns to target victims and demand small amounts of money. There has been a significant shift in tactics as ransomware-as-a-service entities specifically target victims and produce human-led campaigns. They might encrypt victims’ data, releasing decryption keys after the ransom is paid. Others skip encryption and threaten to auction or release sensitive data for payment. Some contact the victim organization’s employees, business partners and customers to increase the pressure. Still others simply destroy data instead of encrypting it.

Prevention vs. Detection: Stop it Fast

Ever-morphing, new malware strains are difficult to detect. They can easily evade anti-virus (AV) software, which relies on signatures, or hashes, generated from already-seen suspicious files. Suspicious files are assigned a unique hash of alphanumeric characters. Zero-day malware, or variants of never-before-seen threats, have no signatures created, so your AV software, SWG or next-generation firewall can’t identify and block them. The ability to detect and prevent never-before-seen malware is critical to closing an attacker’s window of opportunity. This is why a Secure Access Service Edge (SASE) solution focused on threat prevention is critical to defending against new malware strains.

  • A prevention-focused SASE solution like Check Point Harmony Connect blocks malware in the critical early days of a zero-day malware. In fact, Miercom’s recent Next Generation Firewall (NGFW) Security Benchmark 2023, showed Check Point’s technology prevented 99.7% of new malware downloads, with the nearest competitor achieving 72.7%. Check Point also had the lowest false positive rate of 0.13%, delivering a cloud-native version of the same threat prevention engines, so customers receive the same leading protection as service from the cloud.

Capabilities That Make the Difference

  • A prevention-focused SASE solution combines four powerful capabilities that enable it to prevent the latest malware:
  • Zero-Day Sandboxing: Advanced sandboxing (threat emulation) inspects files for hundreds of different indicators—such as common evasion techniques, file-opening macros, out-of-context services—to determine those that are malicious.
  • Big Data Threat Intel and AI: Big-data threat intelligence gleaned from hundreds of millions of sensors around the globe combined with AI and machine learning engines enable fast identification and blocking of emerging threats.
  • Virtual Patching with a Cloud IPS: A cloud-based Intrusion Prevention System, or cloud IPS, stops anomalous behavior and virtually patches against newly discovered vulnerabilities (CVEs) in browsers, applications and systems.
  • Full Traffic Inspection: Prevention-focused SASE performs full traffic inspection across all ports and protocols.

The Only Prevention-First SASE Solution: Harmony Connect

  • Check Point Harmony Connect SASE is the only prevention-focused SASE solution to successfully defend against the latest malware. It secures 55 million corporate access transactions and prevents 240,000 cyber attacks per month. Learn more:
  • To secure remote internet access, learn more about our Secure Web Gateway
  • To secure your private applications, learn more about our Zero Trust Network Access
  • To secure branch office internet access, read the case study
  • For a complete overview, check out the webinar