This document summarizes several notorious malware strains and cybercriminal groups that were active in 2021: - LemonDuck is a cryptomining and credential-stealing malware that can infect both Windows and Linux systems. It removes competing malware and security protocols from infected devices. - REvil conducted the high-profile ransomware attack on Kaseya in July 2021 that impacted many American companies. It offers ransomware-as-a-service and uses affiliate networks to conduct attacks. - Trickbot and Dridex are longstanding banking trojans that are frequently used to deploy ransomware by moving laterally through networks and harvesting credentials. - Conti is a prolific ransomware group behind

2. Lemonduck

3. REvil

4. Trickbot

5. Dridex

6. Conti

7. Cobalt Strike

8. Lemonduck
LemonDuck has only been around for a couple years as a
well-known botnet and cryptomining payload. It’s one of the
most annoying payloads because it will use just about every
infection vector in the book like COVID-themed emails,
exploits, fileless powershell modules and brute force. But in
2021 LemonDuck grew more popular and even added some
new features like stealing credentials, removing security
protocols and even dropping more tools for follow up attacks.
To make matters worse, LemonDuck will attack Linux systems
as well as Windows, which is both handy and rare. It will use
older vulnerabilities to compromise which can stay unpatched
when victims only focus on patching the recent and popular
vulns.
An interesting quirk is that LemonDuck removes other
hackers from victim’s devices by eliminating competing
malware infections. LemonDuck wants to be the biggest,
Nastiest Malware and they even prevent new infections by
patching the very vulnerabilities it used to gain access. It
mines XMR because that is the friendliest hashing algorithm
for consumer-grade hardware and therefore secures the most
profits for cybercriminals. These profits are instant and are
generated by the power bill of the victim over time. There is
no ransom demanded, and therefore no consent or
knowledge of the attack/breach is needed by the victim –
making this very nasty.

9. REvil
REvil of course makes our list. Everyone, even those who aren’t into
infosec, heard about the July Kaseya supply chain attack targeting
mainly American companies right before the holiday. They also attacked
countless other businesses, including global meat supplier JBS. It’s no
surprise that a group with a name like REvil would make our list year
after year.
You may have heard of ransomware named Gandcrab back in 2018, or
Sodinokibi in 2019. Well, it’s all the same group and this year they
were/are REvil. They offer ransomware as a service (Raas), which means
they make the encrypting payload and facilitate the extortion leak sites
on the dark web.
Affiliates will conduct the attack (however they want), use the
ransomware payload and all profits are shared. Shortly after the Kaseya
attack and subsequent meetings between the White House and
Vladimir Putin, REvil payments and leak sites went down and the onion
links no longer worked.
"Upon uncorroborated information, REvil server infrastructure received
a government legal request forcing REvil to completely erase server
infrastructure and disappear. However, it is not confirmed," - Advanced
Intel's Vitali Kremez
As with many nasty malwares on this list, REvil is probably not dead
(their leak site on the dark web came back online in early September).
After taking what is presumed to be a nice holiday break, they are
turning their infrastructure back on – so expect a sequel…

10. Trickbot
It’s been around for a decade now as a popular
banking trojan that’s evolved into one of the most
widely recognized botnets in existence. Used by a
large chunk of the cyber-underworld, Trickbot is
linked to many ransomware groups due to its
versatility and resilience. Late last fall, the DoD,
Microsoft and others carried out attacks on the
groups botnet and almost destroyed it. But like any
good zombie, they rose again to become the
leading botnet after Emotet’s shutdown.
Trickbot infections almost always lead to
ransomware. Once on the machine, it moves
laterally through networks, using exploits to
propagate and gather as many credentials as
possible. Sometimes, it takes weeks or months until
all domain credentials are gathered. Once they have
full control of the environment, they make sure the
ransomware will do the most damage with
mitigations likely to fail.

11. Dridex
Another very popular banking trojan and
infostealer that has been around for years,
Dridex is tightly linked to ransomware like
Bitpaymer/Doppelpaymer/Grief. Dridex was
dropped on machines from Emotet until
their shutdown, but now runs its own
malspam campaigns.
Once on one machine, it also moves
laterally through a network to drop dridex
loaders on every machine to create
persistence. And just like Trickbot, Dridex
takes its time gathering credentials until
gaining full control. From there, they can do
the most damage while preventing
mitigation strategies from shutting them
down.

12. Dridex authors have been known
as the “Evil Corp” group, whose
leader is wanted by the FBI for
the maximum reward of $5M.

13. Conti
This ransomware group is no stranger to our Nastiest
Malware list, where its graced these these pages before as
the ransomware operators behind Ryuk (which uses
Emotet and Trickbot). In fact, they were the FBI’s most
successful ransomware group of 2019. While Conti has
been deployed from RDP, it's not usually brute-forced from
unsecured RDP. Most often the credentials are grabbed or
phished elsewhere, from an info stealing trojans like
Trickbot or Qakbot.
These ransomware authors also operate a breach/leak site
to further intimidate victims into paying ransoms. Conti
made plenty of headlines and breached many large
organizations in 2021, but hasn’t gone dark yet. We’ve also
noticed that LockFile ransomware lists a Conti gang’s email
address as a contact for payment, linking the two groups.

14. Cobalt Strike
Cobalt Strike is a pen testing tool designed by white hats. Its
purpose is to help red teams simulate attacks so hackers
can infiltrate an environment, determine its security gaps
and make the appropriate changes. There are several very
powerful and useful features in this tool like process
injection, privilege escalation, credential and hash
harvesting, network enumeration, lateral movement and
more.
All these are attractive to hackers, so it’s not surprising that
we’ve seen Cobalt Strike used by the bad guys OFTEN. It’s
unique for us to list a tool for white hats on among our
Nastiest Malware, but this tool is easy to use for scalable,
customized attacks. It’s no wonder so many threat actors
are adopting it as one of the tools in their arsenal.

15. Dis-Honorable mentions
Hello Kitty – This group gets an dis-honorable mention because of their unique attack on VMWare ESXI
using exploits. It was made famous by breaching CD Projekt RED and stealing their source code for games,
most notably for CyberPunk 2077 and Witcher 3.
DarkSide – The colonial pipeline attack was the most notable attack of 2021, causing a cascading gas
shortage compounded by panic buying. It reminded us how disruptive ransomware attacks can be and its
surrounding hype was reminiscent of Wannacry. The RaaS group claimed it had no intention of attacking
infrastructure and blamed an affiliate for the pipeline. But just a few weeks after the attack, a similar RaaS
emerged called Black Matter and claimed to attack all environments BUT medical and state institutions. They
also claimed that they were not the same people. But honestly, who believes that?