August 2024’s Most Wanted Malware: RansomHub Reigns Supreme While Meow Ransomware Surges
Check Point’s latest threat index reveals RansomHub’s continued dominance and Meow ransomware’s rise with novel tactics and significant impact
Check Point’s Global Threat Index for August 2024 revealed ransomware remains a dominant force, with RansomHub sustaining its position as the top ransomware group. This Ransomware-as-a-Service (RaaS) operation has rapidly expanded since its rebranding from Knight ransomware, breaching over 210 victims worldwide. Meanwhile, Meow ransomware has emerged, shifting from encryption to selling stolen data on leak marketplaces.
Last month, RansomHub solidified its position as the top ransomware threat, as detailed in a joint advisory from the FBI, CISA, MS-ISAC, and HHS. This RaaS operation has aggressively targeted systems across Windows, macOS, Linux, and especially VMware ESXi environments, using sophisticated encryption techniques.
August also saw the rise of Meow ransomware, which secured the second spot on the top ransomware list for the first time. Originating as a variant of the leaked Conti ransomware, Meow has shifted its focus from encryption to data extraction, transforming its extortion site into a data-leak marketplace. In this model, stolen data is sold to the highest bidder, diverging from traditional ransomware extortion tactics.
RansomHub’s emergence as the top ransomware threat in August underscores the increasing sophistication of Ransomware-as-a-Service operations. Organizations need to be more vigilant than ever. The rise of Meow ransomware highlights the shift towards data-leak marketplaces, signaling method of monetization for ransomware operators, where stolen data is increasingly sold to third parties, rather than simply published online. As these threats evolve, businesses must stay alert, adopt proactive security measures, and continuously enhance their defenses against increasingly sophisticated attacks.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
FakeUpdates is the most prevalent malware this month with an impact of 8% worldwide organizations, followed by Androxgh0st with a global impact of 5%, and Phorpiex with a global impact of 5%.
- ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
- ↔ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.
- ↑ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.
- ↑ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user’s credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in 2022, it emerged as one of the most prevalent Trojans.
- ↓ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
- ↓ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
- ↑ CloudEyE – CloudEye is a downloader that targets the Windows platform and is used to download and install malicious programs on victims’ computers.
- ↔ Vidar- Vidar is an infostealer malware operating as malware-as-a-service that was first discovered in the wild in late 2018. The malware runs on Windows and can collect a wide range of sensitive data from browsers and digital wallets. Additionally, the malware is used as a downloader for ransomware.
- ↓ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.
- ↔ NJRat – NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged on 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.
Top exploited vulnerabilities
- ↔ Command Injection Over HTTP (CVE-2021-43936,CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↔ Zyxel ZyWALL Command Injection (CVE-2023-28771( – A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the effected system.
- ↔ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-1375) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
Top Mobile Malwares
This month Joker in the 1st place in the most prevalent Mobile malware, followed by Anubis and Hydra.
- ↔ Joker – An android Spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware signs the victim silently for premium services in advertisement websites.
- ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
- ↑ Hydra– Hydra is a banking Trojan designed to steal banking credentials by requesting victims to enable dangerous permissions and access each time the enter any banking app.
Top-Attacked Industries Globally
This month Education/Research remained in the 1st place in the attacked industries globally, followed by Government/Military and Healthcare.
- Education/Research
- Government/Military
- Healthcare
Top Ransomware Groups
The data is based on insights from ransomware “shame sites” run by double-extortion ransomware groups which posted victim information. RansomHub is the most prevalent ransomware group this month, responsible for 15% of the published attacks, followed by Meow with 9% and Lockbit3 with 8%.
- RansomHub – RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cybercrime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments. This malware is known for employing sophisticated encryption methods.
- Meow – Meow Ransomware is a variant based on the Conti ransomware, known for encrypting a wide range of files on compromised systems and appending the “.MEOW” extension to them. It leaves a ransom note named “readme.txt,” instructing victims to contact the attackers via email or Telegram to negotiate ransom payments. Meow Ransomware spreads through various vectors, including unprotected RDP configurations, email spam, and malicious downloads, and uses the ChaCha20 encryption algorithm to lock files, excluding “.exe” and text files.
- Lockbit3– LockBit is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States.