Locky Rises to the Top of the Email Threat Heap

The Locky ransomware has become the No. 1 email-borne threat, overtaking Dridex and making good use of JavaScript attachments to lead an explosion of malicious message volume.

According to the latest Proofpoint Quarterly Threat Summary, malicious mails were up 230% quarter-over-quarter, with campaigns peaking at hundreds of millions of messages per day. Among email attacks that used malicious document attachments, 69% featured the new Locky ransomware in Q2, versus 24% in Q1.

The report noted that the Necurs botnet went offline in June, silencing the massive Locky and Dridex campaigns that defined the first half of 2016. But by the end of that month, the first large Locky email campaigns began again, with all signs pointing to a regrowth of the Necurs botnet.

The report noted that despite the volume of messages, threat actors were able nonetheless to conduct highly personalized campaigns—even at scales of tens to hundreds of thousands of messages. There is also a trend towards variety in approaches to increase the effectiveness and scale of the attacks. Bad actors repeatedly shifted tactics with new loaders, document attachment types, and obfuscation techniques to evade detection. Also, social media phishing attempts rose by 150%, due to the proliferation of things like fake customer service Twitter accounts and the like.

Also on the email front, organizations continued to cope with spam, adult content, and other issues that overwhelmed their ability to resolve the issues manually. And, whaling and business email compromise (BEC) attempts continued to evolve. Attackers changed lures based on seasonal events such as tax reporting.

The report found that while Locky may have dominated email, CryptXXX dominated exploit kit (EK) traffic. Another ransomware, CryptXXX appeared on the scene in Q2 and quickly rose to prominence in the EK landscape, the report found. Overall, the number of new ransomware variants (most distributed by EKs) grew by a factor of five to six since Q4 2015.

There was a quiet period here too: EK traffic dropped by 96% between April and mid-June. Traffic from the Angler EK had completely disappeared by early June, shortly after the Nuclear EK had shuttered operations. That left Neutrino as the top EK by the end of June.

Meanwhile, mobile was a top target. As many as 10 million Android devices were compromised by EKs. The EKs targeted multiple vulnerabilities that let attackers take control of the devices. In most cases this control was used to download adware that generated profits for threat actors.

As a result, 98% of mobile malware is still associated with the Android platform.

Photo © wisawa222

What’s Hot on Infosecurity Magazine?