As we turn the corner and begin 2021 (not a moment too soon) many people are breathing a sigh of relief, but security experts are still holding their breath.  2020 was a bumper year for ransomware and other malware attacks as the scope and severity of all types of attacks increased and predictions are that the new year could be even worse for those who are not properly protected. As TechCrunch’s Security Editor, Zach Whittaker, put it, ”With 2020 wrapping up, much of the security headaches exposed by the pandemic will linger into the new year.”

2020 was quite the year

2020 was great…for hackers. Some of the biggest ransomware attacks in the first half of 2020 cost more than $144 million in payments and recovery costs that were paid out.


Covid-19 made every access point more vulnerable. It gave threat actors the perfect excuse to issue attacks against hospitals, pharma companies, businesses, and individuals. Working from home forced companies to find immediate security solutions, which weren’t always great.
The year ended with SolarWinds suffering a major breach as malware that made its way into a company product update. The malware gained access to around 18,000 customers, including key U.S. Government departments and tech giants.

Counting Down The Top Unfortunate Trends of 2020


5. Beur Loader attacks:  Ready-made Malware for Sale 

What we’re dealing with: Beur Loader malware is sold on cybercriminals’ underground network as a Ransomware As A Service (RasS). It’s the latest of a class of malware known as downloaders, or just ‘loaders’. Loaders allow threat actors to issue payload malware attacks using phishing emails and other delivery systems. Once inside, the malware allows attackers easy access.  We discussed this type of malware in-depth earlier this year.

Why it’s dangerous: The ability to purchase Beur Loader malware makes life easier for attackers (and harder for everyone else) by removing some of the initial obstacles standing in the way of a malware attack.

Past victims: Since mid-2019, we’ve seen attackers issue campaigns using Google Docs and Microsoft Word attachments Docs containing the payloads.

4Sekhmet and Egregor: Follow-Up to Maze Ransomware? 

What we’re dealing with: By encrypting data, Sekhmet and Egregor ransomware renders victims’ systems unusable unless the ransom is paid. Usually, the attack is accompanied by a threat letter that demands payment within three days.
As we first reported, in addition to gaining access via fake emails, attackers also use stolen admin credentials to access critical servers and manually execute the attack.

Why it’s dangerous: Sekhmet, and its spin-off, Egregor, recently made news as the possible successor of the ransomware Maze after it announced its ‘retirement.’ If this is true, we can expect to see many similar attacks in 2021.

Past victims: Californian gas company SilPac was hit twice by Sekhmet in 2020. To accomplish this, the threat actors needed to retain access to the system even after initial remediation.  Proving that once hit by this malware, the only real way to get rid of it completely is to rebuild the entire network from scratch.


3. Conti: The evolution of malware development  

What we’re dealing with: This is a new and advanced version of Conti ransomware, with the alarming new capability to bypass certain security products. The ransomware removes hook sets meant to detect malicious activity. Even though it was first introduced in August, as of October, at least 120 networks were hit with this type of attack.

Why it’s dangerous: More than anything, this new version teaches us about the evolution of malware developers who learn how to evade detection and study available security tools.

Past victims: In late November, IoT chipmaker Advantech was hit with a $14M ransom demand.

2. Fake Software Installers: Fake it ‘til you break it 

What we’re dealing with: Yet another method of launching a ransomware attack, fake installers masquerade as legitimate software and fool users into installing them.  Once installed, the software exports users’ data back to the threat actor’s, who can also use their newly gained access to install additional malware.

Why it’s dangerous: This method combines easy access to victims’ systems and is typically only detected hours or even days later. Many end-users are vulnerable because they lack the tools to differentiate between authentic and fake software and discover the malware when it’s too late. As we explained on our blog earlier this year, this method of infection is continuing to claim more victims.

Past victims: A recent incident included fake advertisements that led unsuspecting users to fake software distributing malware.

1. Large-scale supply chain attacks: The malware ripple effect 

What we’re dealing with: The tech world’s deep interconnectivity means that most companies need to rely on external third-party software solutions. Therefore, even very sophisticated technology companies are using software that they don’t completely control and that may expose it to threats. These “supply chain” attacks occur when a threat actor uses weaknesses in a third-party software to gain access to the host network.

Why it’s dangerous: By exploiting a weakness in the supply chain, threat actors can gain access to many additional companies, creating a ripple effect of damage.

Past victims: The recent FireEye and SolarWinds attacks targeted a company software update and managed to reach thousands of other companies, including the U.S. State, Treasury, Energy, and Homeland Security departments.
We broke down the attack and shared full details  soon after it occurred.


What can be done

The above list is alarming, but available tools and technologies can protect companies from these and other emerging threats. We were able to prevent similar attacks using the following solutions:


  • Minerva Labs’ Hostile Environment Simulation module prevents Buer Loader attacks using the malware’s own code against it.
  • Minerva Labs’ Memory Injection Prevention solution prevented an Egregor ransomware attack by blocking the in-memory code’s unpacking routine. It can also protect users from fake software by blocking the initial downloader utilizing the company’s Vaccine module, which simulates the malware’s kill-switch mechanism.
  • Conti attacks are prevented by Minerva Labs by blocking the unhooking process malware exploits, to allow the detection and prevention of this malware type.


As we saw in 2020 there’s never a break in the fight against  malware. In 2021, threat actors will no doubt prepare a few surprises for those who remain unprotected. Make sure not to be among those who don’t take the threat seriously enough, or you might fall victim to malware attacks. To learn all about Minerva Labs’ latest features and capabilities, schedule your demo today. Here’s to a healthy and secure 2021.