Cybercriminals are increasingly adopting stealthier tactics, with a new report from WatchGuard Technologies revealing significant growth in encrypted and fileless malware. The analysis shows that threat actors are successfully evading traditional defenses by hiding their payloads within standard web traffic and using native system tools to carry out attacks.

Over 90% of Malware Hides in Encrypted Traffic

According to the second-quarter report, a staggering 91.5% of malware was delivered using HTTPS-encrypted connections. This trend makes detection significantly more difficult for organizations that do not perform HTTPS inspection at the network perimeter, effectively allowing nine out of ten threats to pass through unchecked. Two malware families, AMSI.Disable.A and XML.JSLoader, were responsible for the vast majority of these encrypted detections. The former is particularly evasive, using PowerShell commands to disable Windows’ Antimalware Scan Interface (AMSI) and execute malicious scripts without being flagged.

Fileless Attacks and Ransomware on the Rise

The use of PowerShell highlights another major trend: the surge in fileless malware. These “living off the land” (LotL) attacks leverage legitimate system tools to remain hidden in a computer’s memory, making them invisible to many antivirus solutions. In the first half of 2021 alone, script-initiated attacks reached 80% of the total volume for all of 2020, putting fileless threats on a trajectory to double year-over-year. Alongside this, ransomware has seen a dramatic resurgence. After a period of decline, ransomware attacks are on pace to increase by 150% in 2021 compared to the previous year, a finding supported by multiple security firms.