Acronis blocks 16.6 million phishing and malicious URLs in July 2023

The Acronis Cyber Protection Operation Centers (CPOC) blocked 16,591,252 phishing and malicious URLs in July 2023, a decrease of 10% compared to June 2023.

Malicious URLs are a common tool for cybercriminals to deliver their payloads.

Many attackers first install a small backdoor application and have it connect to a command-and-control (C2) server to receive commands or download additional malware.

According to the newly published Acronis Cyberthreats Report (August 2023), the Switzerland-headquartered cybersecurity company also detected 36,000 malware attacks this July, an increase of 22% over June, while noting that ransomware detections at the endpoint decreased by 6% in July compared to June.

The Acronis Cyberthreats Report covers current cyberthreat activity – including malware, URL and ransomware statistics, and trends on a global scale – as mostly tracked by Acronis analysts and sensors in July 2023. The report is based on more than one million unique endpoints distributed globally, with a large focus on threats for Windows OS, followed by macOS and Linux.

While the cyber protection solutions provider recorded close to 420 data breaches that were reported globally in July it also reports that the most active ransomware group in July was Cl0p, claiming 205 victims.

MOVEit impact

In July, ransomware attacks remained prominent, exemplified by the MOVEit campaign — which impacted more than 545 organisations and their customers, and exposed the Personal Identifiable Information of more than 32.7 million individuals.

According to Acronis, MOVEit is the third significant case this year involving zero-day vulnerabilities exploited in file-transfer services, with Cl0p being responsible for similar attacks on Fortra’s GoAnywhere and IBM Aspera Faspex.

Acronis also observed an increase in the ongoing pattern of attacks targeting managed service providers (MSPs), where the MSPs’ software and services are used to compromise end-users in various verticals, including government, finance, and education.

The exploitation of MOVEit file-transfer vulnerabilities was far-reaching in July; with some organisations being affected directly, while others were exposed through third-party vendors, the Acronis Cyberthreats Report notes.

A MOVEit attack involves the exploitation of a zero-day vulnerability that gives cybercriminals access to data transferred by organisations through the managed file transfer solution.

It is estimated that the Clop ransomware gang behind the MOVEit hacks will earn between $75–100 million by extorting victims through their extensive MOVEit data theft campaign.

Known victims of the MOVEit hack include Siemens Energy, the Munich-based energy technology company; Schneider Electric, the French multinational company; The New York City Department of Education; Radisson Hotels Americas; TomTom, the Dutch navigation group; and First Merchants Bank, an Indiana-based banking giant.

Profitable ransomware

As per the Acronis Cyberthreats Report ransomware detections in July were 6% lower than in June even as the most active ransomware gang in July was Cl0p.

However, as ransomware is still one of the most profitable types of malware, Acronis admits it regularly sees new variants appearing in the wild. For example, NoEscape ransomware entering the stage in July.

NoEscape ransomware is believed to be a rebrand of Avaddon, known for shutting down and releasing decryption keys in 2021. NoEscape now targets enterprises with double-extortion attacks, stealing data and encrypting files on Windows, Linux, and VMware ESXi servers.

In July, Acronis Cyber Protect blocked 36,000 malware threats on endpoints, an increase of 22% compared to June.

One of the most active threats in July was the RedLine infostealer, continuing a trend of info-stealing Trojans.

Even though it is crucial to prevent malware early in the attack chain — for example, by blocking the malicious emails that deliver them – nevertheless, many threats still do make it to the endpoint, according to Acronis.

MSPs under attack

Acronis has observed an increase in attacks on MSPs, pointing out that such attacks can create a chain of victims, perpetuating an ongoing cycle of subsequent threats.

Once an MSP is compromised, the attackers can either go directly after the end customer, abuse PSA/RMM tools to distribute their payloads, or try to compromise SaaS services, Acronis noted.

This could lead to service centres getting compromised, affecting end-customers in many different verticals. Stolen data, such as customer names, credentials, emails, and invoices, is then subsequently used for further attacks.

To thwart malware/ransomware attacks Acronis offers its proprietary Acronis Cyber Protect solution that protects against both known and never-before-seen threats through a multi-layered protection approach.

This includes behaviour-based detection, AI/ML-trained detections, and anti-ransomware heuristics, which can detect, and block encryption attempts and roll back any tampered files automatically, without any user interaction.

Separately, Acronis’ recently released Endpoint Detection and Response (EDR) pack for Acronis Cyber Protect Cloud delivers the visibility needed to understand attacks, while simplifying the context for administrators and enabling efficient remediation of any threats.

Last Updated on 1 year by Arnold Pinto