Press releases

Avast Q1/2022 Threat Report: Cyber Warfare in Ukraine and Russia Dominates the Threat Landscape

Cybercrime operations partially weakened due to war; researchers observe continued slight decrease in ransomware, growth in Emotet presence, and the discovery of one of the largest botnet-as-a-services

Cybercrime operations partially weakened due to war; researchers observe continued slight decrease in ransomware, growth in Emotet presence, and the discovery of one of the largest botnet-as-a-services


Prague, Czech Republic, May 5, 2022 — Avast (LSE:AVST), a global leader in digital security and privacy, today released its Q1/2022 Threat Report which reveals cyber threats revolving around the physical war between Russia and Ukraine. The latest report shines light on a Russia-attributed APT group attacking users in Ukraine, and DDoS tools being used against targeting Russian sites, and ransomware attacks targeting companies in Ukraine. Additionally, findings show that cybergangs have been affected by the physical war, causing a slight decline in ransomware, and the temporary discontinuation of the information stealer, Racoon Stealer.

Cyber warfare: Ukraine and Russia

“We often see parallels between what’s happening in the real world and the threat landscape when it comes to how threats are being spread and their targets. In Q1/2022 we saw a significant increase in attacks of particular malware types in countries involved in the war. Compared to Q4/2021, we saw a more than 50% increase in the amount of remote access trojan (RAT) attacks and more than 20% increase in information stealer malware attacks we blocked in Ukraine, Russia, and Belarus, which could be used for information gathering or espionage,” said Jakub Kroustek, Avast Malware Research Director. “We also blocked 30% more attempts to infect new devices to join botnets in Russia, and a 15% increase in Ukraine, with the goal to build armies of devices that can carry out DDoS attacks on media and other critical websites and infrastructures. On the other hand, we blocked 50% less adware attacks in Russia and Ukraine, which could be due to less people going online, especially in Ukraine.” 

Just before the war in Ukraine began, the Avast Threat Labs tracked several cyber attacks, believed to be carried out by Russian APT groups. Gamaredon, a known and active APT group, increased activity rapidly at the end of February, spreading their malware to a wide target pool, including consumers, searching for victims of interest in order to carry out espionage. Ransomware called HermeticRansom, for which Avast  released a decryptor tool for, was spread, presumably also by an APT group. 

Avast researchers tracked tools promoted by hacktivist communities to carry out DDoS attacks on Russian websites. The researchers spotted webpages, including a weather forecast site, incorporating the code used to carry out these attacks via the visitors’ browser without their consent. These types of attacks declined towards the end of the quarter. A botnet sold as a service was used for a DDoS campaign in March in connection with the Sodinokibi (REvil) ransomware group. Additionally, malware authors have used the war to spread malware, like remote access trojans (RATs) by spreading emails with malicious attachments claiming to contain important information about the war. 

Ukraine war impacting cybercrime operations

Malware authors and operators have been directly affected by the war, such as the alleged death of the Raccoon Stealer leading developer, which resulted in the temporary discontinuation of the information stealer malware. 

The Avast Threat Labs also continued to observe a slight decline of 7% in ransomware attacks worldwide in Q1/2022, compared to Q4/2021, which is believed to have been caused by the war in Ukraine, where many ransomware operators and affiliates operate from. With this, ransomware attacks have decreased for the second quarter in a row. In Q4/2021, the decline was caused by a cooperation of nations, government agencies, and security vendors hunting down ransomware authors and operators. Further causes for the decline could be  one of the most active and successful ransomware groups, Maze, shutting down their operations in February, and the continued trend of ransomware gangs focusing more on targeted attacks on large targets (big game hunting) rather than on regular users via spray and pray techniques.

The war caused a rift within the Conti ransomware gang, with a Ukrainian researcher leaking internal files from the gang’s business and source code to the Conti ransomware, after the group declared allegiance to Russia, promising ransomware retaliation for cyberattacks against Russia. The leaks temporarily resulted in a decline of Conti ransomware.

Mexico, Japan, and India, are exceptions, where the chance of a user encountering ransomware increased by 120%, 37% and 34% respectively in Q1/2022 compared to Q4/2021.

Emotet market share doubled, TDS spreading malicious campaigns

In addition, the report reveals Emotet doubled its market share since last quarter. In particular, Avast observed a significant increase in Emotet botnet infection attempts in March. Moreover, a traffic direction system (TDS), called Parrot TDS was found spreading malicious campaigns via 16.5K infected sites. The report also includes a summary of how Avast researchers pieced together clues to uncover how Meris, one of the largest botnet-as-a-service networks, mainly made up of more than 230K vulnerable MikroTik devices, facilitated multiple large scale attacks in the past years. 

On the mobile side, bad actors are changing tactics when it comes to spreading adware and premium SMS subscriptions, which continue to be prevalent. While the Google Play Store has previously been used to distribute these threats, bad actors are now using browser pop-up windows and notifications to spread malicious apps among consumers.

The full Avast Q1/2022 Threat Report can be found on the Avast Decoded blog: https://decoded.avast.io/threatresearch/avast-q1-2022-threat-report.