FakeUpdates continues to facilitate ransomware attacks while cybercriminals enhance their capabilities with AI-powered techniques

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a pioneer and global leader of cyber security solutions, has released its Global Threat Index for January 2025, which highlights FakeUpdates continued threat in the cyber landscape, playing a crucial role in facilitating ransomware attacks.

In the January Index eight African countries are listed in the top 20 most attacked.  Ethiopia is once more in the top spot as the most attacked country with a 100% Normalised Risk Index out of the 109 countries featured in the Index.

A recent investigation by security researchers revealed that an affiliate of RansomHub used a Python-based backdoor to maintain persistent access and deploy ransomware across various networks. Installed shortly after FakeUpdates gained initial access, this backdoor demonstrated advanced obfuscation techniques along with AI-assisted coding patterns. The attack involved lateral movement through Remote Desktop Protocol (RDP) and established ongoing access by creating scheduled tasks.

 

Maya Horowitz, VP of Research at Check Point Software, commented "AI is transforming the cyber threat landscape, with cybercriminals rapidly evolving their methods, leveraging AI to automate and scale their tactics and enhance their capabilities. To effectively combat these threats, organizations must move beyond traditional defenses and adopt proactive, adaptive AI-powered security measures that anticipate emerging risks".

 

African countries featured in the top 20 are:

 

Threat Index Per African Country

 

 

    Ethiopia at 1st place with a Normalised Risk Index of 100.

    Zimbabwe at 5th place with a Normalised Risk Index of 77,7.

    Angola at 9th position with a Normalised Risk Index of 66,1.

    Uganda at 10th position with a Normalised Risk Index of 64,5.

    Nigeria's Normalised Risk Index has increased since last month, moving from position 13 to 11 with a Normalised Risk Index of 62,7.

    Kenya comes in at position 14 with a Normalised Risk Index of 59,4.

    At 16th position with a lower Normalised Risk Index than last month (11th) is Ghana with 58,9.

    Mozambique at the 17th position has a Normalised Risk Index behind Ghana with 57,9.

 
South Africa is down three places at 66th position with a normalised Risk Index of 38.1 %.  At position 97 is Egypt, the best performing country in Africa, with a normalised Risk Index of 31.1 percent, out of the 109 surveyed in the Index

 

Top Malware Families

The arrows relate to the change in rank compared to the previous month.

    ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is downloader malware initially discovered in 2018. It is spread through drive-by downloads on compromised or malicious websites, prompting users to install a fake browser update. FakeUpdates malware is associated with a Russian hacking group, Evil Corp, and is used to deliver secondary payloads after the initial infection.

    ↑ Formbook – Formbook, first identified in 2016, is an infostealer malware that primarily targets Windows systems. The malware harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute additional payloads. It spreads via phishing campaigns, malicious email attachments, and compromised websites, often disguised as legitimate files.

    ↑ Remcos – Remcos is a Remote Access Trojan (RAT) first observed in 2016. It is often distributed through malicious documents in phishing campaigns. It bypasses Windows security mechanisms, such as UAC, and executes malware with elevated privileges, making it a versatile tool for threat actors.

 

Top Mobile Malware

    ↔ Anubis – Anubis is a versatile banking trojan that originated on Android devices, with capabilities such as bypassing multi-factor authentication (MFA), keylogging, audio recording, and ransomware functions.

    ↑ AhMyth – AhMyth is a remote access trojan (RAT) targeting Android devices, disguised as legitimate apps. It gains extensive permissions to exfiltrate sensitive information like banking credentials and MFA codes.

    ↓ Necro – Necro is a malicious Android downloader that retrieves and executes harmful components based on commands from its creators.

Top-Attacked Industries Globally

    Education

    Government

    Telecommunications

Top Ransomware Groups

Based on data from ransomware "shame sites," Clop is the most prevalent ransomware group, responsible for 10% of the published attacks, followed by FunkSec with 8% and RansomHub with 7%.

    Clop – Clop is a ransomware strain, active since 2019, that targets industries worldwide. It employs "double extortion," threatening to leak stolen data unless a ransom is paid.

    FunkSec – FunkSec is an emerging ransomware group that surfaced in December 2024, with a data leak site blending ransomware incidents with data breaches.

    RansomHub – RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of Knight ransomware. It has gained notoriety for targeting Windows, macOS, Linux, and VMware ESXi environments.

 

Follow Check Point via:  

LinkedIn: https://www.linkedin.com/company/check-point-software-technologies?? 

X:?https://www.twitter.com/checkpointsw? 

Facebook:?https://www.facebook.com/checkpointsoftware? 

Blog: https://blog.checkpoint.com?? 

YouTube:?https://www.youtube.com/user/CPGlobal?