05.09.2022 | 3 Images

G DATA threat report: Significant increase in Linux ransomware

Number of averted cyber attacks increases by more than 27 percent following the start of the war in Ukraine
This press release has:
There was a significant increase in Linux ransomware in the first half of 2022 - this is reflected in the new threat report by G DATA CyberDefense. Companies and private users alike are being targeted by cyber criminals. The IT security experts also registered an increase in cyber attacks generally following the start of the war in Ukraine. The Malware Top 10 is headed by the remote access Trojan DC-RAT.

Press release Plain text

Currently, cyber criminals in Germany are making conspicuous use of Linux ransomware to attack network attached storage (NAS) devices. The threat report of January 2022 by the Bochum IT security experts shows that QNAPCrypt, QLocker and Deadbolt are particularly widespread. Companies and private users alike who use such devices for backups are affected. The ransomware not only encrypts the data, but also exfiltrates it. In this way, cyber criminals put their victims doubly under pressure. If they do not pay the required ransom, the attackers publish the data. Since a large part of the ransomware gets through security holes in the NAS devices’ software, users should immediately install updates and protect their devices.

The number of cyber attacks has only increased in the short term as a result of the war in Ukraine. For example, the G DATA threat report for February 2022 shows an increase of more than 27 percent in the number of averted attack attempts compared to January. In April, however, the number of averted attacks dropped significantly, by more than 18 percent compared to March. By the middle of the year, the number of averted attacks had returned to normal and was back at the level it was before the war in Ukraine began.

“The so-called cyber war is unusual”, says Tim Berghoff, Security Evangelist at G DATA CyberDefense. “Contrary to the fears of many security experts, there have hardly been any concentrated attack attempts against critical infrastructures in Germany. Just the number of normal malware attack attempts briefly increased. However, the warnings were a wake-up signal for many companies to check their IT security and improve protection.”

The current figures also prove that cyber criminals were increasingly targeting companies in the first quarter. Despite the sharp decline from April to June, the figures remain at a high level. The number of averted attack attempts on companies fell by more than 25 per cent within three months. The decline for private users was only 5.4 per cent.

Malware Top 10
The Malware Top 10 has changed significantly compared to the second half of 2021. Seven of the ten most common malware strains are new. As in previous years, the ranking is dominated by remote access Trojans. These enable remote control and administrative monitoring of a third-party computer without the user noticing. Among other things, attackers can view the victim's desktop, log keystrokes, access the camera, copy the login information stored in browsers or upload and download files. Regarding the first-placed malware, DC-RAT, there has been an upsurge in new samples because the malware generates samples independently and randomly. The danger from DC-RAT has therefore not increased at all; rather, sandbox systems that check suspicious software are actively generating new samples and are thus creating an artificial increase. It is noticeable that both Emotet and QBot are not currently at the top of the rankings.

The Malware Top 10 at a glance:
Position Name Proportion in percent  Type
 1 (-)  DC-RAT  16  Remote Access Trojan
 2 (-)  Prepscram  13  Software Bundler
 3 (3)  Tofsee  12  Remote Access Trojan
 4 (-)  Tinba  11  Banking Trojans
 5 (1)  Dridex  10  Information Stealer
 6 (-)  SakulaRAT  9  Remote Access Trojan
 7 (-)  Pistolar  9  Dropper
 8 (-)  Redline  7  Information Stealer
 9 (6)  Bladabindi/njRAT  6  Remote Access Trojan
 10 (-)  Farfli  6  Remote Access Trojan
Previous year’s position in brackets

New attack routes into networks
Another result of the current G DATA report is that attackers are constantly looking for and finding new ways to attack systems. They are increasingly using file formats such as RAR, ZIP and IMG files to send macro-enabled documents. Rather than Office documents, these contain ISO, Batch, Powershell or EXE files, which they use to bypass Microsoft's macro blocking protection system and spread malware.

Despite the reduced numbers, the risk to companies and users of falling victim to a cyber attack remains high. Current vulnerabilities in applications open the door to criminals just as much as inattentive employees who open attachments in phishing emails.

With holistic cyber defence services, G DATA CyberDefense makes you defensible against cybercrime. The renowned IT security company protects with AI technologies, endpoint protection, security monitoring and offers penetration tests, incident response and awareness training in order to secure companies in the best possible way.

G DATA CyberDefense AG supports its customers in every security situation. From the headquarters in Bochum, more than 550 employees ensure the digital security of companies, critical infrastructures such as hospitals or airports as well as millions of private users. With almost 40 years of expertise in malware analysis, G DATA has become a top player in the cybersecurity world and conducts research and software development exclusively in Germany. This also applies to service and support, which is available around the clock for customers all over the world. G DATA security solutions are available in more than 90 countries and have received numerous awards from independent test institutes.

All contents of this press release as .zip:

Direct download

Release text 4190 Characters

Plain text Copy release text

Images (3)

335 x 175
124 x 175
263 x 175


(3) Stefan Karpenstein
Stefan Karpenstein
Public Relations Manager

+49 234 9762 - 517