IT NEWS

Leaked Babuk ransomware builder code lives on as RA Group

The bones of long gone ransomware group Babuk continue to rattle in the breeze, in the form of reused code. Researchers from Cisco Talos have named this new team the “RA Group”, a ransomware collective which may have only been up and running since last month.

Babuk famously threatened to leak law enforcement data, relented, and then had its ransomware builder tool leaked during the weirdest retirement ever. While some of these antics may sound faintly comical, the ransomware was no joke. Babuk popped up in all sorts of attacks, like being deployed via Microsoft Exchange exploits. Babuk code has also been reused prior to this latest group, for example as the basis for Rook ransomware at the end of 2021.

The leaked builder has proven to be very useful for those in the ransomware realm, and people wanting to get in on the act. Its versatility and relative ease of use ensures that—sadly—we’ll likely be seeing Babuk lurking at the edges of ransomware development for a long time to come.

Our latest Babuk beneficiary, the RA Group, already has four known compromises in the US and South Korea. According to Talos, like many other forms of ransomware, the attacks are based around double extortion tactics. This is where the target isn’t just stuck with encrypted, inaccessible files, they’re also threatened with the stolen data being leaked should the ransom not be paid.

In this case, RA Group is sticking with the tried and tested leak portal technique. Watching confidential information be spilled across the internet for download is certainly one way to encourage a business to pay up, and an effective tactic. Talos reports that the main leak site is undergoing various cosmetic tweaks and alterations, confirming the impression that this is all very new indeed.

If you’re unfortunate enough to end up on the leak portal, your details are organised like so:

  • Organisation name
  • A list of stolen data / file size
  • Organisation URL

Customised ransom notes are used for compromised entities, with three days given to pay up or risk the data being made public. When the three day mark is reached, “sample files” are made public. After 7 days, everything goes public.

A list of the stolen data is also provided in the ransom note, which isn’t something you see all the time. There’s no better way to show you mean business than explain exactly what you’ve done to supplier, tax, and financial information across every compromised desktop. Talos notes that the impacted organisation is also mentioned inside the code of the executable too.

Should your data eventually end up for sale, the below message may eventually provide lots of sleepless nights:

If you want to buy this data, please contact us by qtox

qTox is an instant messaging tool billed as being secure and private, particularly with regard to avoiding having your Government listening in on what you might be saying. Ransomware groups using instant message to communicate with victims is fairly common, and they often make use of secure tools to do so.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

3 reasons to use a VPN

There are many good reasons to use a Virtual Private Network (VPN), even if you are just casually scrolling. Privacy is a right that is yours to value and defend, and if you want to increase your online privacy then a VPN is one of the possible solutions. 

A VPN works like this: When you’re connected to the internet, all of your activity is logged and associated with your Internet Protocol (IP) address. Using a VPN creates an encrypted tunnel from your device to the VPN server, which is like creating a digital middleman between your device and the internet that blocks others from seeing what you’re doing. When you connect to a VPN, instead of your activity being associated with your IP address, now it’s the VPN server’s IP address that is associated with your data. Yours remains private.

Here are three reasons why you might want to use a VPN.

1. To stay private, at all times

Someone who is worried about being spied on — perhaps by their Internet Service Provider (ISP) or by someone that is on the same network, such as an employer or spouse — may choose to use a VPN. All these snoops will see when you are using a VPN is the fact that you are communicating with the VPN server. They are unable to see the content of the communications and where the traffic goes from there. Even if hackers are on the same WiFi network, that encrypted tunnel makes it impossible for them to capture any of your data.

2. To change your location

There are some basic reasons why someone would like to change their location. Some services have location-based restrictions and these services usually rely on your IP address to figure out where you are. So, if you want to evade such a restriction, you can pretend to be in a location where these restrictions don’t apply. Or the other way round if you want to restrict content: For example, if you don’t want your children to visit Pornhub you can set your location to Utah, because visitors from this state are blocked over an age verification law.

choosing a different location in Malwarebytes Privacy VPN

Switching your location is easy in Malwarebytes Privacy VPN

3. To protect when you need it the most

Some users only use a VPN when they feel they need its protection the most. For example, they might turn on the VPN when they are connected to a public WiFi, accessing their bank accounts, sending work-related or other sensitive information, or because they plan on visiting high-risk websites.

Malwarebytes Privacy VPN

Malwarebytes Privacy VPN helps protect your online privacy, shield your location, keep your data private even on public WiFi, and delivers speeds way faster than traditional VPNs. And it’s important to know that Malwarebytes does not log anything the user does. What you do is your business, not ours.

Windows 11 is showing its first signs of Rust

Some important changes are heading to Windows which should make the operating system quite a bit more secure than it is now. At the end of April, Microsoft’s VP of OS Security and Enterprise referenced upcoming changes to Windows involving the programming language Rust.

Rust matches the performance of languages like C and C++ while being easier to debug and maintain, and—most importantly—memory safe. It is highly desired by some programmers—you can see his excitement in the below talk from Blue Hat IL 2023:

At the time, he cautioned that “rewriting Windows in Rust isn’t going to happen anytime soon”. However, he also mentioned that Rust would be making an appearance in the operating system’s Kernel “in the next several weeks or months”.

That moment has now arrived for folks on the Windows 11 Insider program:

Why is this such good news? Well, the kernel is the core component of a computer operating system and is crucial to how it functions. It’s one of the first things to fire up when a computer is switched on, and then it sits in memory permanently, mediating between the computer’s applications and hardware.

If an attacker successfully compromises a kernel, they can expect to have full control over the device it’s running on, which is of course very bad indeed. These issues aren’t just Windows specific—you can end up with a kernel disaster on a Mac, or over in Linux land, too.

A big part of kernel exploitation is focused on memory management. Traditionally, the most popular coding languages for kernels have been C and C++, which provide excellent performance and lots of flexibility, and a lot of rope to hang yourself with when it comes to security. When people with bad intentions stroll into town, one of the key places they prod around is in the realm of memory. Bugs and errors in this area can lead to exploitation, and making the memory unstable can cause malfunctions or allow for malicious code.

A huge part of this is the dreaded buffer overflow attack, which has been around since the 1970s. This is when data written to a buffer spills out and overwrites nearby memory. When the system’s memory is tampered with in this way it can lead to all manner of exploitation.

Despite endless attempts to get programmers to write more secure code, improvements to the underlying languages, and mitigations like Windows Address Space Layout Randomization (ASLR), buffer overflows continue to be a huge problem. The only way to root them out completely is to switch away from C and C++ to a memory safe language like Rust that can manage memory automatically.

This approach has already proven to be more reliable than hoping programmers will do the right thing: The adoption of memory safe languages in Android, which predates Windows by several years, has lead to signficiant decline in memory safety vulnerabilities on that platform.

According to Google, in situations where Rust has been used on low-level Android components instead of C++, there have been “zero memory safety vulnerabilities discovered.”

The work of switching out C++ for Rust in Windows 11 has already begun. As per The Register, the Microsoft Windows graphics interface device is currently being ported to Rust to the tune of 36,000 lines of Rust code, and there’s a system call (SysCall) in the Windows kernel right now which is implemented in Rust.

While the “wouldn’t it be nice” dream of replacing all pieces of C and C++ in Windows with safer, better alternatives is likely impossible, big and important strides in memory safety are finally being made. What we have here is yet another good reason to finally make the leap from Windows 10 to 11.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Update now! Ruckus vulnerability added to CISA’s list of actively exploited bugs

Along with six older vulnerabilities, the Cybersecurity and Infrastructure Agency (CISA) has added a vulnerability in multiple Ruckus wireless products to the Known Exploited Vulnerabilities Catalog. This means that  Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by June 2, 2023.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Ruckus vulnerability is listed under CVE-2023-25717, which indicates that Ruckus Wireless Access Point software contains a vulnerability in its web services component. If the component is enabled on the access point, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability reportedly impacts Ruckus ZoneDirector, SmartZone, and Solo Aps with Ruckus Wireless Admin panels version 10.4 and older.

The Ruckus security bulletin about the vulnerability, issued on February 8, 2023 and edited on May 11, 2023, displays a long list of affected devices. Several of these devices have reached end-of-life (EoL) which means they may not get patched against this vulnerability. Users of supported devices can find download links and install instructions by following the links behind their specific product.

One malware operator that has been found to exploit vulnerable Ruckus devices is the relatively new botnet, AndoryuBot. Infected devices are used to propagate the botnet malware to other devices and are used in DDoS attacks. To avoid detection and to bypass firewalls, the botnet uses the SOCKS proxying protocol. SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. This protocol is often used because it allows traffic to bypass Internet filtering to access content which would otherwise be blocked, but it can also be used to circumvent blocklists and firewall rules.

Protection

To protect your devices against the AndoryuBot botnet which seems to thrive on this vulnerability, you should install the available patches and replace the legacy devices that have reached EoL.

Other measures to protect your devices from falling prey to botnets are:

  • Use strong passwords and multi-factor authentication where possible.
  • Do not make your admin panels accessible from the internet if you can avoid it. If you can’t completely disable remote access, use very strict access policies.
  • Segregate your network so critical components are separated from vulnerable assets.
  • Apply active protection software and monitor network traffic.

The Malwarebytes web protection module blocks the download of the botnet malware:

Malwarebytes blocks 163.123.142.146

Malwarebytes blocks 163.123.142.146


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

A week in security (May 8-14)

Last week on Malwarebytes Labs:

Stay safe!


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Why we should be more open about ransomware attacks

The UK’s National Cyber Security Centre (NCSC) has published an article that reflects on why it’s so concerning when cyberattacks go unreported, saying:

…we are increasingly concerned about what happens behind the scenes of the attacks we don’t hear about, particularly the ransomware ones.

One of the main reasons is that with visibility, it is easier to get a good picture of what is going on, what methods the criminals are using, and maybe even who they are. Another argument is that paying the ransom and keeping quiet about the fact that you have been attacked has a few negative consequences:

  • Paying the ransom funds the criminal ecosystem.
  • Not doing a thorough, third-party investigation could leave the access method used by the criminals wide open for the next attack.
  • If the news of the cyberattack gets into the public domain later it can be much more damaging than communicating about it straight away.
  • Good backups often restore encrypted systems faster and more effectively than paying a ransom for a decryptor provided by the criminals. Decryptors can be slow, and they have been known to fail (even though the criminals will tell you they work seamlessly).

Depending on the country an organization is based in, whether they handle data under GDPR regulations, whether they are a government contractor, what sector they are active in, or whatever other reasons, some organizations have a legal obligation to notify one or more authorities about a cyberattack.

This has led to some misconceptions in the past. For example, for some time researchers were under the impression that SamSam ransomware, one of the earliest “big game” ransomware gangs, specifically targeted healthcare providers. Later it turned out that most of its victims were in the private sector, but because a lot of the healthcare victims were obliged by law to report the attacks and none of the private sector victims were, the reported incidents painted a skewed picture of what was actually happening.

There are some obvious reasons why organizations would want to keep attacks under wraps. One of them is the fear of the fines involved in a data breach. Some ransomware gangs actually use these fines as an argument to persuade victims to pay a ransom. The NCSC provided an example of a ransomware message that stated:

The ransom demand is £50 million. If you pay, you’ll avoid a regulator fine of £600 million which is 0.5% of your annual profit.

The NCSC goes on to say that a data leak isn’t the only reason for a fine, and you won’t always be fined if data is leaked. From what we have seen, trying to cover a data leak up and then getting exposed later on, will drive the penalty to the max.

The stats in our monthly ransomware reports are based on known ransomware attacks, published by ransomware gangs on their Dark Web sites and Telegram channels. This means we only have visibility on successful attacks where the victim refused to pay. Estimates by experts like Allan Liska are that this is just the tip of the iceberg. We might be seeing only 10% of what is really going on. While there are no reasons to believe that this could change the proportions, in some cases it might.

  • If there are still ransomware gangs without a leak site, we would lack visibility. (At the moment we do not believe any of the major players operate without a leak site or a Telegram channel to leak stolen data.)
  • Ransomware gangs may not publicise attacks that fail to steal valuable data—news of failures would likely put off affiliates and have a negative impact on their income.

Basically, the NCSC is asking victims to do the right thing and allow us to learn from successful attacks, which can help others to avoid falling victim to the same methods. We do understand that some organizations feel they have no other choice but to pay. But even then, investigate the incident and share your findings so others may learn.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Sponsored Twitter post uses fake BBC News site to boost slippery oil trading app

A sponsored post on Twitter promises to offer the benefits of obtaining citizenship, but really just wants to lure you into some form of Forex trading AI scheme. This tangled web also includes faked BBC web pages and suspicious-looking website reviews to round the whole thing off. Shall we take a look?

Sponsored posts are adverts in the form of a Tweet. They’re paid for by the advertiser, and can end up in a variety of locations on your Twitter timeline. As the sponsored post FAQ mentions, you won’t necessarily find them on the profile page of the advertiser. This is something scammers may take advantage of, as rogue ads become a bit of a needle in a haystack to find.

This particular sponsored Tweet has been impacted by Twitter’s community notes feature, where users can add collaborative corrections to mis / disinformation and scams. The tweet is also from a Twitter Blue subscriber, which can grant additional visibility as a subscriber perk.

A sponsored tweet claiming to illustrate the benefits of being British.

The Tweet reads as follows:

“Check out what benefits you can get if you are British”

The Community Notes added to this tweet state:

The link, via many redirects, goes to a fake BBC news page promoting an ‘automated trading platform’ scam.

Clicking the link while using a VPN or the TOR browser, which places you outside the UK, results in an “advertorial” for an article promoting a UK-based immigration advice firm. It is listed on the UK’s Law Society website as a recognised legal practice so that, at least, is on the level.

Clicking the link while appearing to be located in the UK gives an entirely different result, in the form of the previously mentioned fake BBC news article. This kind of scam page has been popular with fraudsters for years. Nothing beats the appearance of credibility like aping a major news organisation!

The focus of the fake site is a get rich quick scheme, via the medium of big oil profits and a supposedly withheld TV show. From the article:

“Dragons’ Den” makes Brits rich with oil! The episode may not be broadcast – the broadcaster is furious!

The popular program Dragons’ Den—the UK equivalent of the US show “Shark Tank”, a talent show-style competition for inventors and business people in the UK—is the initial hook.

A fake BBC website using the show Dragon's Den to promote an oil AI app

From the site text:

(BBC) – The Dragons Den Series 17 is over and viewers can once again look forward to very interesting products and ideas. However, one episode of the show may not be broadcast. This episode is about a system with which Brits people can easily earn £7393.39 from home – and that PER DAY. Yes, you read that right – per day.

BBC has the video footage of this programme and we will explain exactly what this is about and why the station was banned from broadcasting this episode.

BBC met Steven Bartlett, one of the investors on “Dragons’ Den”, and he was quite enthusiastic about this system. “It’s an absolute disgrace that politics is intervening again and wants to keep the system secret. Nevertheless, I hope it goes viral on the internet and as many Brits as possible will use it for financial prosperity,” Steven Bartlett said in an interview with our editorial team.

How are you supposed to make this kind of money? Via something called “Oil Trader AI”, which allows you to generate vast wealth from “coronavirus induced” oil price fluctuations. The site then walks you through the steps of how it all works, and the supposed answer is “You have to deposit $314 into another website and the AI takes care of the rest”.

At the bottom of the page is a form to fill in and secure one of the “few” places available to make use of the AI tool.

A sign up form asking for name, email, and phone number

Once you’ve entered your email and phone number, you’re redirected to a second website. The site shows you as being logged in, and whatever email address you used is now displayed as a username.

Below your own details is a screen purporting to show your balance.

A page claiming to show your trading balance from a trading website, which includes a deposit button.

On the right is the “Deposit Funds” button referenced on the fake BBC page. If you click it, the site displays the following message:

Dear client,

In order to deposit funds to your trading account, your account manager will contact you via the phone in the following minutes, please be available to take the call. If you encounter any issues feel free to contact our support department.

A page on the trading site walking through the steps of making a deposit.

We never received a call, so we don’t know if it involves taking someone through the steps of making a deposit on site or something else.

Reviews for the site are peculiar, however. On the Trustpilot review site, there are 69 reviews and 40 are positive with reviews beginning to appear from April 7 onward. This is unusual for a trading site which was only created in February of this year, and with little visibility in search engine results. This can often be one sign that something may be amiss with a site’s reviews.

Here’s a particularly odd review, considering the site is just a few months old:

A review which claims to have been using the service in question for "several years now".

“I have been with them for several years now and have never experienced any issues. They are a reliable and trustworthy broker”.

This person claims to have used them for years. It’s possible this individual followed them to a new site. However, it seems unlikely that the trading portal wouldn’t mention their last site and Internet presence generally. Plus, we also have the below almost identical review from another user:

A review similar to the first which says "I have been using (the site) for several years now".

I have been using [the site] for several years now, and I have never had any issues with withdrawals or deposits. They are highly reliable and trustworthy, which is critical when it comes to choosing a forex broker.

One other user who gave a five star rating claims “I have been trading with them for a year”.

In fact, there isn’t a single positive rating from anyone with more than one review. Each account has made one review of this one specific site, and then never returned. Meanwhile, there are several one star reviews from people with a varied posting history. As you might expect, they advise you to avoid the site completely.

Seeing all of this, the fake BBC page, and the bogus sponsored Twitter post which started the whole thing does not make me confident about wanting to invest. Maybe I could leave a review?

How to avoid dubious trading offers

Sponsored ads may not be what they seem. Twitter is experiencing several issues currently, due to the new checkmark system and bogus ads running wild. Fake death claims leading to scam sites are a particular problem at the moment. Always read the replies, and the Community Notes if present.

Avoid fake BBC sites. A tried and tested tool of scammers everywhere, this is especially the case where offers and get rich quick schemes are being served up. The real BBC news site can be located here.

Be careful with your data. A get rich quick page asking for personal details should be treated with caution. If you must sign up for something, use a tool to mask your email address or phone number.

Review those reviews. Check the age of the site using a Whois tool, look for links in search engines, and count the reviews. Too many over a short period of time may be suspicious, especially if all of the reviewing accounts are new / have one review each only.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

YouTube is testing ad blocker detection

YouTube is dipping a toe into the muddy waters of ad-blocker blocking, with ad-blocker using Redditors complaining about a popup that warns “Ad blockers are not allowed on YouTube,” when they visit the site.

An adblock warning popup on YouTube
(Image source: Reddit user Sazk100)

The popup message explains that “Ads allow YouTube to stay free for billions of users worldwide,” and invites users who want to be ad-free to take out a YouTube Premium subscription.

Despite the “Ad blockers are not allowed on YouTube” claim, only a select group of individuals currently see this messaging. A YouTube spokesperson confirmed this is currently just a test, though there’s no information with regard to how many people are seeing it or which regions its being seen in:

“We’re running a small experiment globally that urges viewers with ad blockers enabled to allow ads on YouTube or try YouTube premium”.

They also note that ad detection isn’t a new thing, and publishers often ask site visitors to disable ad-blocking tools. Everyone reading this very blog has almost certainly experienced a “Please turn off your ad blocker to view this site” notification on a website at some time.

The big problem is that these messages tend to be unpopular, and can turn visitors away from a site. If the content you want to see or read is available elsewhere, why go to the hassle of altering your settings?

In recent years, many sites have adopted a more cautious popup method in an effort to not aggravate visitors. A typical example might say “Support our content, funded by adverts which are used to pay the writers”. Underneath you’ll be given the option to turn off the blocker, or visit the site without doing so this time around. Whether repeat visitors actually do turn off the blocker on the next visit is something only the site owners could know.

In terms of how this is going down with YouTube users, it’s not great. Here’s a typical reaction from the Reddit post where this test was first revealed:

Seriously, watching a recorded stream as we speak and I’ve been timing it. I got an ad, then four minutes later, another pair of ads, six minutes after that, another pair of unskippable ads. Ridiculous.

Ouch. 

A big issue for YouTube users is frequency of adverts, but also length. Users are tired of rapid fire short ads which require a constant supply of clicking to skip. They’re also not fans of the long format adverts, which can hit 30 minutes, an hour, or in one extreme case 4 whole hours!

If you stray into the wacky world of content for children, other types of ad are a problem too. The 20 minute+ adverts which are essentially glorified toy adverts dressed up as cartoons can be a pain to have to keep skipping on a television.

As you’d expect, people have already figured out how to bypass or skip the YouTube ad-block testing in the form of tools such as uBlock origin.

While “These videos can only exist with the support of ads” may be a good point, there are very good reasons why so many people now block ads by default in the first place. Those reasons would include scam ads, and malvertising—the delivery of malware via ad content.

Ad networks have been given chances time and time again to clean up the rogues, fix the malware drive-by antics, and shut down the malvertisers. Despite this, the problem refuses to go away and so some of us would like to stay protected until it is.

The sites using those ad networks are ultimately collateral damage. If YouTube takes a hard line on this, it runs the risk of the biggest YouTubers moving elsewhere. Direct funding, Patreons and other methods of revenue generation are out there and they don’t run the risk of alienating fans with advert-related demands.

Blocking ads is a personal choice, and it’s hard to argue in favour of trusting ad networks when bad ads land in front of millions of people on a regular basis. As I said earlier: this isn’t an “us” problem, it’s a “them” problem. People don’t block ads for the sake of it; they do it because they find them to be annoying, intrusive, or potentially dangerous. This is the consequence of years of bad ad practices, and it’s up to the networks behind them to put in some heavy lifting.


Malwarebytes protects against annoying ads and scams while blocking trackers that spy on you.

TRY NOW

Malwarebytes achieves perfect score in latest AVLab assessment

Malwarebytes has once again earned a perfect score in AVLabs March 2023 real-world malware detection tests, marking the sixth consecutive quarter achieving this feat.

Let’s delve into the details of the test and how both consumer and business products outperformed competitors in exhaustive testing.

The AVLab Assessment

AVLabs evaluation process is extensive and comprehensive, putting cybersecurity products through a rigorous series of real-world scenarios. The tests involve:

  1. Malware Collection: AVLab amasses a broad spectrum of malware samples from various sources, such as public feeds and custom honeypots. This ensures the test includes the most current and diverse set of threats.
  2. System Log Analysis: The collected malware samples undergo thorough scrutiny to confirm their malicious characteristics and their ability to successfully infect a Windows 10 system.
  3. Real-life Cyber Attack Simulations: All products are tested under the same conditions. AVLab recreates cyber attack scenarios akin to what’s seen in the real world, using techniques that actual attackers employ.

Products that block all malware samples and achieve a maximum score of 100% protection are awarded an “Excellent” award badge.

easset upload file85385 266045 e

The Results

Malwarebytes consistently excels in the tests, and March 2023 was no different. Both the consumer solution, Malwarebytes Premium and the business solution, Malwarebytes Endpoint Protection, earned “Excellent” badges for detecting and blocking 100% of malware.

easset upload file89014 266045 e

The standout performance is largely due to our Multi-Vector Protection (MVP) technology, a unique approach that combines rules-based techniques with behavioral and AI-based methods to stop threats at every stage of an attack. MVP’s proactive approach, which involves identifying threats even before they execute, played a crucial role in obtaining a perfect AVLab score. 

In addition, our web protection technologies, MWAC and BrowserGuard, blocked 89% of all threats, surpassing the average web protection blocking rate of 72% across all tested products.

For receiving the “Excellent award logo in every test during 2022 (testing is done 6x /year), Malwarebytes Premium received the following additional logo:

easset upload file54582 266045 e

The Competition

Other vendors struggled to match Malwarebytes’ results. BitDefender, for instance, missed five samples, while F-Secure and Microsoft Defender each missed four. BitDefender and Microsoft also missed samples in the January 2023 test, meaning both products failed to get 100% in back-to-back tests.

The foundation for superior Endpoint Detection and Response (EDR)

Malwarebytes Endpoint Protection (EP) is not merely a standalone product; it’s the bedrock of our advanced Malwarebytes Endpoint Detection and Response (EDR) solution.

Leveraging the robust detection and prevention capabilities validated by AVLab’s tests, Malwarebytes EDR delivers comprehensive visibility and granular control over network endpoints. Learn more about our endpoint security solutions.

For a deeper dive into our performance, view the full AVLab report here.

easset upload file2183 266045 e

Google Passkeys: How to create one and when you shouldn’t

Google has just brought users closer to a passwordless future.

In a recent blog post, the tech giant introduced the option to create and use a safer, more convenient alternative to passwords: Passkeys, a form of digital credential. So, how do they work?

Passkeys are generated using public-key cryptography, or asymmetric encryption, which involves using a pair of public and private keys. The public key is stored on the side of the app or website, while the private key, a main component of the passkey, is stored on the device. Websites have no access to the value of the passkey. When a Google user logs in to their account using a passkey, Google checks if the website has a corresponding public key.

This method of authentication makes accounts significantly more resilient, because, unlike a password, the key can’t be phished, stolen from the website it’s stored on, or intercepted in transit. It also means the account cannot be subject to an attack as a result of a weak password or password re-use, because there is no password.

As the authors of the blog put it:

“Using passwords puts a lot of responsibility on users. Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn’t fully protect against phishing attacks and targeted attacks like ‘SIM swaps’ for SMS verification. Passkeys help address all these issues.”

The blog authors identified some benefits users could get out of using Google passkeys:

  • Guaranteed access. Suppose you created a passkey on a Google account you access with your smartphone. In that case, you can use this passkey to access that Google account on other devices like a laptop. Synchronizing the passkey to the device isn’t needed as long as the phone is near the device and you approve the sign-in on your phone. If you create a passkey for your laptop—or for each device you own—you won’t need your phone anymore to access your Google account.
  • Backup” key. Some platforms securely back up your passkeys and sync them with other devices. For example, a passkey created on your iPhone will also be available on your other Apple devices if you’re logged in to the same iCloud account. This prevents a user from getting locked out if they lose a device. Passkeys also make upgrading to a new device easier, as you only need to sync it with the rest of your devices.
  • Phishing and breach protection. Because passkeys cannot be stolen, phishers won’t be able to get their hands on your account credentials. Similarly, passkeys cannot be reused or exposed in a data breach.
  • It can replace physical security keys. Google said that passkeys are “strong enough that they can stand in for security keys for users.” A security key is a physical device used to sign in to your accounts. Like passkeys, it’s another passwordless method of authentication. An example of a security key is YubiKey.

It’s worth noting that passkeys use the three common types of information used in MFA: Something you have (like a smartphone), something you are (your biometrics), or something you know (like a PIN or pattern). This makes passkeys a form of MFA. However, according to the FIDO Alliance, some regulatory bodies have yet to make this recognition, something the alliance is already actively working towards.

Minimum hardware and software requirements

Google has listed what you’ll need in order to create a passkeyWindows 10 or macOS Ventura (or later) running Chrome 109, Safari 16, or Edge 109 (or later), or iOS16 or Android 9 (or later) on a mobile device.

You also need to enable screen lock, especially Bluetooth, if you want to use passkeys on the phone to sign in to another device.

When you shouldn’t create a passkey

Passkeys should only be created on devices you personally control. That said, you shouldn’t make a passkey using a Google Workspace account through a school or employer. You also shouldn’t create one on devices you share with other people, like your family computer, as anyone using the device will have access to your Google account. Even if you sign out of your account, once a passkey is created on that device, anyone who can unlock the device can sign in back into your account with the passkey.

How to create a passkey in two simple steps

I used an iOS device here.

1. Go to g.co/passkeys to trigger the process.

first page you see when setting up passkey

You can also log in to your Google account. From the Home page, go to Security. Scroll down to How you sign in to Google and pick Passkeys as an added sign-in option. You’ll land on the same page as above.

another way to access passkey

2. Click Create a passkey. An overlay will display, confirming that you can create a passkey on the device. Click Continue.

prompt saying user can create a passkey on the device

Note: If you have your iCloud Keychain disabled, your device will prompt you to enable it.

iOS prompt asking users to enable iCloud KeyChain

And you’re done!

The first time you sign in, the computer displays a QR code you can scan with your mobile device’s camera. Once signed in, you may be prompted to create a passkey for the computer. As we’ve said, only agree if you don’t share the computer with anyone.

If in the future, you decide to stop using passkeys, Google gives you the option to remove them. You can also opt out of using passkeys entirely. In cases when devices have been lost or stolen, or the passkey goes missing or unavailable, you can check Google’s recommendations on this Account Help page.

Google isn’t the only company that has been working on an alternative to passwords. Apple and Microsoft have also announced they’ll support passkeys on their respective platforms to address password problems. 

Watch this space!


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW