Meet the Top 10 Nastiest Malware of 2020: Webroot


Malware attacks have been a major annoyance for organizations, municipalities and users this year. Webroot’s annual list of Nastiest MalwareOpens a new window shows hackers are reusing old tricks to secure financial gains. And grabbing the top spot this year is Emotet,  the malicious spam botnet which is responsible for the most ransomware attacks in 2020.

This has inarguably been a good year for cybercriminals who took advantage of the global pandemic to secure financial treats. Even in these exceptional circumstances, hackers and bad actors never seemed to rest and relied on the same old tricks to compromise organizations’ defenses for their own ends.

Webroot’s newly released 2020’s Nastiest Malware report Opens a new window lists down the nastiest malware on the loose and how it wrecked widespread damage on people, data and organizations of all sizes. The key culprit (you know it) is ransomware — and this year, a new trend emerged with ransomware gangs creating “leak sites” where they exposed or auctioned off a victim’s sensitive data if they refuse to pay.

On the other hand, healthcare organizations struggling with constrained budgets and a zoo of different cybersecurity solutions found themselves in the crosshairs of cybercriminals.  “Ransomware did everything but slowdown in 2020, largely due to COVID-19 phishing lures, with several notable attacks from healthcare to municipalities to education,” the report said.

The report finds scammers and hackers are using old tricks and basic techniques to steal data.

Here’s a list of the nastiest malware of 2020:


  1. Emotet: Emotet made a flashy comeback in September and managed to retain its position as the top botnet threat for the third year in a row.
  2. TrickBot: TrickBot was originally a credential stealing remote access trojan (RAT), which later evolved into a ransomware payload delivery botnet. TrickBot’s lateral movement across an infected network results in exposure of credentials, which can eventually result in a ransomware attack. The botnet was recently subject to a massive operation by a coalition led by Microsoft ahead of the U.S. presidential election, which resulted in the elimination of 94% of its servers globally.
  3. Dridex: Dridex is a banking/financial info/credential stealing malware that spreads through macros in Microsoft Word documents. It moves laterally across a network, infecting every machine it comes across and can deploy ransomware and disable built-in system protections.

See Also: How SMBs Can Become Cyber Resilient Against Evolving Threats

New Botnet Tactics Implemented in 2020

Standalone botnets pose a high-security risk. These malicious programs are being used in combination with several other malware to carry out attacks. For example, Emotet is often clubbed with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil.

 See Also: One Out of Four Cyber Incidents a Ransomware Attack: IBM


Ransomware operators have been on the prowl to target any weaknesses to make a quick buck. In fact, the average ransom is now $175,000 and will likely hit $200,000 by the end of the year. In a ransomware attack, the hacker deploys a payload that encrypts (and sometimes steal) a victim’s information, and follows it up with ransom demand for restoration of access. The FBI firmly warns against paying ransom since it doesn’t guarantee getting the data back, or even if it does, it does not mean the attackers will hand over data without keeping a copy.

  1. Ryuk/Conti: Conti derives its code from the second version of Ryuk, and was created as a successor to Ryuk to avoid scrutiny. This ransomware was the most successful in 2019, according to cases reported to the FBI. Community and Advocacy manager at Webroot Drew FreyOpens a new window writes, “While Conti has been deployed from RDP, it’s not brute-forced from unsecured RDP, but instead the credentials are grabbed or phished elsewhere like from an info stealing trojan like trickbot or qakbot – likely deployed from the initial Emotet infection. These ransomware authors also operate a breach/leak site to further intimidate victims into paying the ransom.”

5.Sodinokibi/REvil/Gandcrab: Different names, same intentions: provides ransomware-as-a-service (RaaS). Sodinokibi or REvil RaaS made Webroot’s list in 2019 and is reprising its role again in 2020. According to threat analysts at IBM Security X-Force Incident Response, Sodinokibi was behind almost one in three (29%) ransomware attacks in 2020. Sodinokibi made its cyber debut in April 2019 and has so far targeted approximately 140 organizations. IBM report stated, “Our conservative estimate for Sodinokibi ransomware profits in 2020 is at least $81 million.” Sodinokibi/REvil/Gandcarb can be hired for malicious activities so long as a cut of profits is paid to its authors.

6.Crysis/Dharma/Phobos: Also a RaaS payload , Crysis/Dharma/Phobos has been around and has been evolving since 2016. Like Sodinokibi, Crysis/Dharma/Phobos is also available for hire for a cut to the authors. The high-level threat from this RaaS lies in the fact that victims need not fall prey to a phishing attack to be infected by Crysis/Dharma/Phobos.

Frey explains, “These ransomware payloads are almost exclusively deployed using compromised RDP credentials that are typically brute forced or easily guessed after finding them using tools (like” This is concerning considering unsecured RDP hose 40% since COVID-19 began.

New Ransomware Tactics Implemented in 2020

This year, we saw a new trend emerging where failure to meet ransom demands is met by auctioning off the victims’ data on a leak site. This impacts organizations in three ways:

  • Organizational data is exposed
  • Organizational reputation is tarnished
  • Ransomware groups get paid either way


Phishing generally involves malspam campaigns. A great deal of social engineering also goes into devising a malspam campaign for phishing out credentials from unsuspecting users. Frey says that “almost all the malspam phishing lures used by malware are based on COVID-19.”

Some examples are listed below:

  • CDC/WHO/White House Guidelines for the COVID-19 Pandemic: A statement supposedly from government/health officials, luring targets with information on quarantine rules, health and safety. 
  • Updated list of new COVID-19 cases around your city: Webroot explains how this statement relies on the “heightened sense of fear and tension created by the pandemic to lower victims’ suspicion levels.” It also fails to take into account the privacy aspect of user data.
  • Fill out this form to receive your COVID-19 stimulus: The announcement of the $1200 stimulus threw a lot of people into confusion regarding its receipt. This phishing lure aimed to capitalize on this confusion.

See Also: 71% Health Apps Plagued by at Least One High-Level Vulnerability: Intertrust

Mobile Threats

Webroot’s annual list of nastiest malware doesn’t generally feature mobile-based threats. Due to an unexpected rise in mobile threats in 2020, the company has included the four mobile threats as honourable mentions in this year’s list. Most threats exist as COVID-19 contact tracing apps while others exploit app accessibility features.

  1. Joker: Joker is notorious for slipping past Google Play Protect which keeps on reappearing on Google Play Store, most recently in July. It is a spyware categorized as Dropper and Premium Dialer that can snoop on SMS messages, contact lists, and other device information. Frey said, “Joker simulates other legitimate apps to try to steal credit card information and/or banking credentials.”
  2. CryCryptor: CryCryptor is mobile ransomware based on CryDroid. CryCryptor was discovered this year in COVID-19 tracing apps.
  3. EventBot: Discovered this year, this is a Banker variant, which can bypass 2-factor authentication by exploiting accessibility features like reading and stealing SMS messages and user data.
  4. Dingwe: Dingwe underwent modifications and reappeared on the scene in 2020 as COVID-19 tracing apps.

Tyler Moffitt, Security Analyst, WebrootOpens a new window told Toolbox, “Malware has never been more complex or wide-reaching than it is today. Cybercriminalshave adopted a more modular methodologywherethey combine and mix-and-match attack methods to ensure maximum damage. Phishing, ransomware and RDP-related breaches remain top tactics because they continue to be successful, especially when used together. To mitigate risk, lock down RDP with data encryption and multi-factor authentication, educate employees on common threats using consistent security awareness training and phishing simulations and pair cybersecurity software with backup to strengthen cyber resilience at multiple layers of vulnerability.”

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!