Ransomware continues to have the greatest impact on smaller organizations, as confirmed by data and Sophos threat research. However, other threats also pose significant risks to small businesses. Data theft is a major focus, with nearly half of malware detections involving password stealers, keyloggers, and other spyware. Credential theft through phishing and malware exposes small business data on cloud platforms and service providers, and network breaches can target their customers. Additionally, attackers are increasingly using web-based malware distribution methods like malvertising and SEO poisoning to bypass security measures. Unprotected devices connected to networks, including unmanaged and improperly configured computers, are a primary entry point for cyberattacks.

Our analysis is based on several data sources. These include customer reports from Sophos protection software on customers' networks, providing a broad view of encountered threats (referred to as the Labs dataset); Managed Detection and Response (MDR) incident data from escalations due to malicious activity on MDR customers' networks (referred to as the MDR dataset); and Incident Response team data from incidents on networks of businesses with 500 or fewer employees that lacked managed detection and response protection (referred to as the IR dataset). For more detailed data from cases handled by our external-facing IR team, including those involving customers with more than 500 employees, please refer to our sister publication, the Active Adversary Report (AAR). Unless otherwise stated, the conclusions in this report are based on the combined datasets with appropriate normalization.

2023 Malware Categories by Signature Updates

Nearly 10% of detected malware falls outside the four major categories, comprising an "other" category that includes malware targeting browsers to inject ads, redirect searches for profit, or collect data. Some stealers, like Discord "token" stealers, specifically target Discord credentials and are used to spread other malware through chat servers or Discord’s content delivery network. Leading stealers such as Strela, Raccoon Stealer, and the RedLine stealer family are more aggressive, targeting password stores from the operating system and applications, browser cookies, and other credential data. Additionally, Raccoon Stealer has deployed cryptocurrency “clippers” that replace crypto wallet addresses copied to the clipboard with addresses controlled by the malware operator.

Ransomware: A Top Threat for Small Businesses

Ransomware, though constituting a small fraction of overall malware detections, remains the most impactful threat. It affects businesses of all sizes and sectors, with small- and medium-sized enterprises experiencing the highest frequency of attacks. In 2021, the Ransomware Task Force of the Institute for Security and Technology revealed that 70% of ransomware attacks targeted small businesses, a trend reflected in our own metrics. LockBit ransomware emerged as the primary threat in small business security incidents handled by Sophos Incident Response in 2023. Operating as ransomware-as-a-service, LockBit is distributed by numerous affiliates and ranked as the most widely deployed ransomware in 2022 according to Figure 7.

Remote Ransomware Incidents, 2022-2023

These attacks often exploit vulnerabilities in unprotected servers, personal devices, and network appliances linked to organizations' Windows-based networks. While defense in depth strategies can mitigate risks and prevent widespread system shutdowns, they may not fully safeguard against data breaches and loss. Ransomware is not solely targeting Windows systems anymore. Developers are increasingly utilizing cross-platform languages to create versions compatible with macOS and Linux operating systems and supported hardware. In February 2023, a Linux variant of Cl0p ransomware surfaced following an attack in December 2022. Subsequently, leaked versions of LockBit ransomware have been observed targeting macOS devices with Apple processors and Linux systems across various hardware platforms.

Cybercrime as a Service

The landscape of malware delivery has long been dominated by "Malware as a Service" (MaaS), where cybercriminals provide malware delivery frameworks via underground marketplaces. However, advancements in platform security and enforcement operations by industry and law enforcement have influenced the MaaS landscape. Emotet, once a dominant player, receded after a takedown by Europol and Eurojust in January 2021. Similarly, Qakbot and Trickbot have diminished following law enforcement disruptions in August 2023, with Qakbot being partly replaced by Pikabot and DarkGate. Despite these changes, the remote access trojan AgentTesla has risen to prominence, becoming the most detected malware by endpoint protection in 2023 and comprising 51% of malware delivery framework detections in our telemetry last year.

Finding a Different Delivery Route

Malware attacks require initial access, often through:

- Phishing emails

- Malicious email attachments

- Exploits of operating system and application vulnerabilities

- Fake software updates

- Remote Desktop Protocol exploitation

- Credential theft

Consequently, attackers have shifted predominantly to using PDF file attachments. Nevertheless, there are exceptions; for instance, Qakbot operators turned to malicious OneNote documents to bypass security changes in Excel and Word. Additionally, there's been a resurgence in web-based delivery methods, with malware campaigns utilizing malicious web advertising and SEO poisoning to target victims. Notable examples include the Nitrogen activity group's use of Google and Bing advertisements to lure targets into downloading software installers containing malicious payloads. These payloads, such as Meterpreter remote shells and Cobalt Strike beacons, were likely the first step in ransomware attacks, as indicated by other researchers' findings.

“Dual use” Tools

While Cobalt Strike remains a prominent tool for both adversaries and legitimate security testing organizations, it's no longer the most common commercially developed software used by attackers. Remote desktop tools, file compression software, file transfer utilities, and other common tools, including open-source security testing tools, are frequently utilized by attackers to streamline their operations. Sophos Managed Detection and Response (MDR) has observed these utilities, termed "dual-use tools," being exploited in the post-exploitation phase by attackers for various purposes, such as discovery, persistence, credential access, lateral movement, and data collection/exfiltration. Interestingly, both AnyDesk and PsExec were encountered in more incidents by Sophos MDR than Cobalt Strike, highlighting the diverse range of tools employed by attackers in their activities.

Zero-Day Attacks and Non Zero-Day Attacks

In May 2023, Progress Software disclosed vulnerabilities in their widely used secure managed file transfer platform, MOVEit, which had already been exploited by malicious actors associated with the Cl0p ransomware ring. Despite subsequent patches issued by the company, multiple additional vulnerabilities were uncovered, underscoring the ongoing challenges faced by defenders. MOVEit was just one among several systems targeted by zero-day vulnerabilities in 2023.

For instance, GoAnywhere disclosed a vulnerability in February, which another Cl0p-affiliated group attempted to exploit. Additionally, the Bl00dy ransomware gang exploited a remote code execution vulnerability in PaperCut MF and NG print server software after its discovery in January. Some vulnerabilities, like the one found in Barracuda Email Security Gateway appliances in June, were so severe that patching was not feasible, necessitating the replacement of affected physical or virtual appliances. Moreover, attackers often exploit software and devices that have fallen out of support, such as older network firewalls and web server software, recognizing the absence of forthcoming patches.

Supply Chain Attacks and Digitally Signed Malware

In 2023, small businesses faced security concerns not only with their own IT infrastructure but also with the services they rely on to manage their operations. Supply chain attacks, once associated primarily with nation-state actors, have become a recurring tactic in the ransomware playbook, targeting managed service providers. Sophos Managed Detection and Response (MDR) encountered five cases where small businesses were attacked through exploits of their service provider's remote monitoring and management (RMM) software. Attackers leveraged the NetSolutions RMM agent to create new administrative accounts on targeted networks and deployed commercial remote desktop, network exploration, and software deployment tools. In two instances, LockBit ransomware was successfully deployed. Defending against such attacks is challenging, especially when trusted software is exploited to disable endpoint protection. Small businesses and their service providers must remain vigilant for signs of compromised endpoint protection, as this could indicate privileged access gained through supply chain vulnerabilities or other seemingly legitimate software.

For example, attackers in 2023 exploited vulnerable kernel drivers from older software with valid digital signatures or used malicious software with fraudulently obtained digital signatures, including kernel drivers signed through Microsoft's Windows Hardware Compatibility Publisher (WHCP) program, to evade detection and disable malware protection. Kernel drivers operate at a low level within the operating system, executing before security software can start up, making them particularly difficult to detect. Additionally, digital signatures are essential for loading kernel drivers in Windows systems with Secure Boot enabled since Windows 10 version 1607.

Mobile Malware and Social Engineering Threats

Small businesses heavily rely on mobile devices for their approved or ad-hoc information systems, including text messages, messaging apps, and cloud-connected applications like mobile point-of-sale systems. Cybercriminals recognize this dependence and continually seek ways to target mobile device users for data access or fraud. Particularly concerning are Android malware like spyware and bankers, which harvest personal data and financial information from affected devices. Spyware operators have even resorted to threatening victims with tragic consequences. These malicious mobile applications are distributed through various means, including posing as legitimate apps on app stores or through links sent via text messages. Bankers target financial applications, including cryptocurrency wallets, to steal account data and access funds. Additionally, the phenomenon of "pig butchering" scams, involving sophisticated crypto scams often targeting individuals associated with small businesses, has become increasingly prevalent. These scammers lure victims through social media, dating apps, and other platforms, introducing fraudulent money-making schemes usually involving cryptocurrency. These scams have infiltrated app stores by initially appearing benign and then transforming into fake crypto trading apps, with scammers also tapping into victims' wallets through Web3 functionality in mobile crypto wallet apps. Efforts to combat these scams involve identifying associated domains and reporting them for takedown.

References: