Webroot's Listing of the 'Nastiest' Malware of 2019

eWEEK DATA POINTS RESOURCE PAGE: From zombie botnets to insidious email infiltrators, here are the top malware threats to hit us in 2019.


Each year at this time, Webroot Software compiles a list of what it considers the nastiest malware, worms and botnets of the year—the all-stars of cyber-malactivity.

The 22-year-old Broomfield, Colo.-based security provider, recently acquired by Carbonite, surveys its proprietary threat database and deploys a team of threat researchers to compile the list. Some of the year’s most insidious malware includes TrickBot, Crysis and the especially dreaded Man in the Mirror.

Go here to see a listing of eWEEK's Top SIEM Companies.

From zombie botnets to insidious email infiltrators, here are the top malware threats to hit us in 2019, according to Webroot.

Data Point No. 1: Botnets

Botnets have continued dominate the infection attack chain in 2019. No other type of malware was responsible for delivering more ransomware and cryptomining payloads. Here are the top offenders:

  • Emotet, the most prevalent malware of 2018, held onto that notorious distinction into 2019. While it was briefly shut down in June, Emotet returned from the dead in September of this year. It remains the largest botnet to date, delivering various malicious payloads.
  • Trickbot has been partnering with banking Trojan groups like IcedID and Ursif in 2019. Its modular infrastructure makes it a serious threat for any network it infects and, when combined with Ryuk ransomware, it's one of the more devasting targeted attacks of 2019.
  • Dridex was once one of the most prominent banking trojans. Now it acts as an implant in the infection chain with the Bitpaymer ransomware and is achieving alarming success.

Data Point No. 2: Ransomware

Ransomware remains a threat, adopting a more targeted model last year. Small and medium-sized businesses (SMBs) are easy prey and make up most of its victims. Whether gaining access through targeted phishing attacks or by brute forcing unsecured remote desk protocol (RDP), ransomware is as effective as ever and isn't going anywhere.

  • Emotet, Trickbot, and Ryuk, with one leading to the next, make up the most frightening ransomware triple threat. In terms of financial damage, this is probably the most successful chain of 2019. With more targeted, reconnaissance-based operations, they now assign a value to targeted networks post-infection will extort them accordingly after deploying ransomware.
    • Through the first half of 2019, Trickbot was often delivered as secondary payload after Emotet. Ryuk infections, typically delivered by Trickbot, then resulted in mass encryption of entire networks.
    • Dridex is now being used as an implant in the Bitpaymer ransomware infection chain. We have observed it also delivered as a second=stage payload following Emotet.
  • GandCrab is one of the most successful examples of ransomware-as-a-service (RaaS) to date, with profits in excess of $2 billion. We believe they are closely tied to the Sondinokibi/REvil ransomware variant.
  • Sodinokibi/REvil arose after the retirement of GandCrab. Many of their affiliates seem to be having decent success targeting MSPs.
  • Crysis (aka Dharma) makes its second consecutive appearance on our Nastiest Malware list. This ransomware was actively distributed in the first half of 2019, with almost all infections we observed distributed through RDP compromise.

Data Point No. 3: Cryptomining, Cryptojacking

The explosive growth cryptojacking sites experienced from 2017-2018 is gone. The campaigns running today are shells of their former selves. With around 5% month-over-month decline since Bitcoin peaked in early 2018, the threat has since atrophied. But Webroot doesn't anticipate cryptomining will die entirely. It's still low-risk, guaranteed money that’s less malicious than ransomware.

For example, though Coinhive shutdown in March, Cryptoloot and CoinImp still saw growth from April through June. Cryptomining payloads also declined this year, thought they fared better than cryptojacking campaigns. Almost all cryptomining campaigns use XMRrig, which is an opensource miner that mines Monero with great flexibility.

  • Hidden Bee is an interesting exploit delivering cryptomining payloads. First seen last year with Internet Explorer exploits, it has now evolved into payloads inside JPEG and PNG images through stenography and WAV media formats flash exploits.
  • Retadup was a cryptomining worm with over 850,000 infections. It was removed in August by Cybercrime Fighting Center (C3N) of the French National Gendarmerie when they took control over the malware’s command and control server.

Data Point No. 4: Your Inbox

We saw email-based malware campaigns grow in their complexity and believability dramatically this year. Phishing became increasingly more personalized and extortion emails have begun claiming to have captured lude behavior using compromised passwords.

  • The Man in the Mirror. It’s spooky knowing the biggest security concern at the office is probably one of the people at the office, not a hacker in some remote location. A lack of best practices like poor domain administration, being reactive not proactive, reuse and sharing of passwords, and lack of multi-factor authentication all mean the bad may already be in the house.
  • Business email compromise (BEC) is on the rise with email conversation hijacking and deep fakes, often targeting individuals for sending payments or purchasing gift cards and using spoof email accounts impersonating executives or other colleagues. They are designed to trick victim info giving up wire transfers, credentials, gift cards, and more. BEC is up 100% this year and has caused over $26 billion in losses over the past 3 years.

If you have a suggestion for an eWEEK Data Points article, email [email protected].

Editor's note: This article was first published on Oct. 29, 2019, but we decided it would be appropriate to re-run at the close of the year, in case you missed it the first time.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...