Infiltrate, Adapt, Repeat: A Look at Tomorrow’s Malware Landscape


What would you think if I told you that malware attacks are down, but new variants of malware are up? According to the SonicWall 2021 Cyber Threat Report, malware attacks are down from their high three years ago, showing an overall drop of 43% in 2020. Despite that sounding like great news, SonicWall found a 73% increase in new and updated strains of malware that couldn’t have been caught by traditional defenses that rely on static definitions.

With the way things are going, we expect this trend to continue in the near future. But why is this happening — and what does it mean? I believe the threat landscapes is as active as it is because of many new entrants to the game and faster development.

New Entrants

In my research for my RSA talk on how the youngest generation is learning to hack, I found that the TV show Mr. Robot has created many fans who all want to learn how to hack. These youngsters are approaching the subject at a young age and have more resources available to them when compared to previous generations. There are many safe places for them to test their skills, like “Hack the Box,” but over time they want to test new skills on real companies. The more responsible ones will offer to do penetration testing, while others may go into malware development and attacking.

Almost all new entrants into the game are looking to build something and see what they can get past our defenses. Almost all of those that I interviewed over the last year are getting into ransomware, which could explain why SonicWall saw a 62% rise in this malware type in 2020. The strains they are building are becoming so advanced that it scares me. They have moved from idolizing fictional characters to becoming the real attackers. In the case of Hildacrypt, they have moved from making their own version of Petya to driving to create a strain modeling the tactics of the crew that developed SamSam ransomware.

Faster Development

Other bands of people will join fellow attackers to create ransomware and other forms of malware with different modules (e.g. malicious bootloaders, runners, decrypters, etc.) and test it on real-world subjects. After a round of attacks, they will go to VirusTotal to see if anyone has identified their strain. After discovery, they will make changes to the code, ensuring any files used hash differently (hashing a file is how a computer identifies a file). They’ll also improve a strain’s performance to make it more effective.

After this, the next attack launches, and the cycle repeats itself. For instance, WannaCry had numerous versions come out within the initial weeks of the first major attacks. While VirusTotal isn’t the end-all for malware detection, since it’s the most notable, attackers will frequently check to see when their strains are registered, which takes around two to three days before they must switch gears. With that information, they will build in new evasion tactics based on who found them first and work backwards as they build versions 2, 3, 4, etc.

Over time, these malware developers may transition from project to project, bringing their expertise and experience with them when developing a new strain of malware with a new team. When they struggle to build a module themselves or have issues troubleshooting a problem, there is an active and cheap marketplace with customer service available to help fill in the gaps. Today, it is easier to get paid through ransomware and then pay for help developing code thanks to cryptocurrencies. So, for the foreseeable future, you can expect to see more people getting into malware development, with many new variants on the horizon.

Stopping Malware of the Future

The storyline behind advanced persistent threats goes far beyond ransomware. The other hot ticket is, and always has been, the exfiltration of data from corporate sources. I have always said that the best way to set your IT security budget is to ask yourself, “What is the value of my data to an attacker?” A lot of us overly protect data that is of little use to an attacker yet leave some essential data less guarded because it means less to us. Our customers’ data and intellectual data are two of the things we typically protect first.

When developing your philosophy on upgrading your network protection, we typically start at the network, then look at connections, then the endpoint itself, and then its path to the cloud.

Without giving away the whole story now, we typically start with the inspection of traffic coming into the network. With 70% of sessions today being encrypted, we also take a hard look at inspecting that traffic as well. Next, we will look to how we inspect for unknown malware that can’t be found by a traditional next-generation firewall. Sandboxing engines have been around since 2011, and they have evolved to look for malware across multiple engines — including within the memory of the system, since this is where a lot of attacks (such as fileless attacks) try to initiate to hide how they got into the network and remain undetected and undeterred by security software.

Would you believe that customers use Capture ATP with Real-Time Deep Memory Inspection (RTDMI) to find between 1,400 to 1,600 new forms of malware every business day, many of these with numerous evasion tactics?

SonicWall has been in IT security for 30 years now, and we have seen it all. We have morphed from a firewall company into a security platform company. We famously stopped WannaCry in its tracks on our customer’s networks three weeks before the first major attack was ever noted. We have found and named several new strains throughout our research and continue to develop new and better technologies to help you discover and stop unknown, zero-day and updated attacks on your own network.


This post is also available in: French Spanish Italian

SonicWall Staff