David Morán Jan 20, 2021 9 min read

2021 Banking Malware Trends

This past 2020 has been a year full of high-profile attacks and notorious vulnerabilities, watered with a pandemic climate that cybercriminals have taken advantage of.


Already at the beginning of 2021, we can see that malware creators and their clients will take good note of what they have learned to continue refining their routines and business model. This post summarizes some of the malware trends that different specialists in the sector agree on.


Evolution of Ransomware

Ransomware has been one of the main players in 2020, taking advantage of other threats in the COVID-19 context, while evolving at the same time. The SOPHOS report published in November echoed this development, which is not only based on the technical part (e.g. looking for alternatives to disable backups or minimizing the time of the attack to the extent possible), but is also based on organizational improvements and variations in their business model.

Especially significant is the fact that ransomware groups are beginning to organize themselves and even cooperate. It's common among malware authors to replicate code with something of interest depending on its purpose. The case of groups cooperating is different, especially among groups seeking to get rich.

Employing the same simile used by SOPHOS, the ransomware groups that used to be more independent are starting to behave more like cybercrime cartels. The theft of data followed by extortion for its publication is already a common practice, the families that use this practice include: Doppelpaymer, REvil, Clop, DarkSide, Netwalker, Ragnar Locker, and Conti. Acronis defined 2021 in its blog as "the year of extortion" and this definition doesn't seem to be off the mark.


 Another curious fact is that there have been several cases of ransomware attacks targeting the video game sector. Lockdown restrictions have allowed this market to increase its profits, and malware authors are seeing another avenue of attack on users of this market.


Beyond Windows

Kaspersky's predictions for 2021 mention the increase in attacks on infrastructures and other non-PC devices. Some examples are the extension of the MATA framework by Lazarus, the development of Turla's Penquin_x64 backdoor, or the attacks on European supercomputers.

We could also say that the natural tendency is to look for persistence mechanisms in firmware, as permitted by one of the TrickBot modules discovered at the end of the year (TrickBoot). These mechanisms, combined with the malware's own way of operating and its modularization, would allow the malware to be molded to the final platform and make it more resistant to detection.

Along these lines, what also stands out is the use of legitimate Cloud services as part of the attacker's infrastructure, or the use of red team tools such as CobaltStrike for communication with command and control servers.


Financial and Banking Sector

Financial institutions remain a designated target of organized crime groups and some sources such as the Financial Review predict that cyber attacks are set to trigger the next crisis for banks. One of the reasons mentioned is the sophistication of the attacks. Kaspersky also warned: there were no high-profile attacks against payment systems during 2020, but banks continue to be in the spotlight. They will have to deal with both targeted attacks and other attacks that affect them tangentially and inevitably affect the economy.


Vulnerabilities and Malware

As for vulnerabilities, the natural progression is for them to increase each year, and 2021 will be no different. 2020 came to an end with around 18,000 vulnerabilities collected by the National Vulnerability Database (NVD), and in January alone a group of critical vulnerabilities has already been registered. The problem is that these vulnerabilities help the malware to operate, and expose individuals and companies. In 2021 the trend will continue to rise, mainly due to the unstoppable development of new products and technologies. We don't know yet how 5G technology will affect this increase.


Source: NVD. https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time

Kaspersky's report also echoes the possible problem of vulnerabilities that will come with 5G, but also the great (media) appeal that managing to effectively attack these networks or services may generate among attackers.



In 2021, nothing seems to indicate that the panorama regarding the escalation of malware cases will change, but rather it will increase. Ransomware will continue to evolve, refining its cross-platform side, and is likely to increasingly affect mobile devices.

Unfortunately, this isn't something isolated that affects only one type of malware or attack, ATP groups in general will tend to exploit more and more platforms, and new environments such as 5G may be very tempting.

Vulnerability management will play a decisive role in preventing possible attacks, but not if it isn't accompanied by proper monitoring and the relevant defense mechanisms.

If you want to know futher information about Malware and Online Fraud Trends in 2021 take a look our webinar: Top three online fraud trends 2021.



SOPHOS 2021 Threat Report. Sophos. November 2020. https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-2021-threat-report.pdf

Advanced Threat Predictions for 2021. SecureList. Kaspersky. November 2020. https://securelist.com/apt-predictions-for-2021/99387/

Cyber Attacks May Trigger Next Crisis for Banks. James Eyers. Financial Review. January 2021. https://www.afr.com/companies/financial-services/cyber-attacks-may-trigger-next-crisis-for-banks-20201221-p56pbd


David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.