Check Point’s latest Global Threat Impact Index revealed a major Locky campaign in September, making the ransomware the world’s second most-used malware and impacting 11.5% of organizations globally.
Locky has not appeared in the company’s top 10 “most wanted” malware ranking since November 2016, but the spike, powered by the Necurs botnet (which in itself was ranked at number 10 in the table), propelled it up 25 places in the index, to sit just behind the RoughTed malvertising campaign.
Locky’s distribution began in February 2016, and it rapidly became one of the world’s most prominent malware families. It spreads primarily via spam emails containing a downloader disguised as a Word or Zip attachment which contains malicious macros. When users activate these macros—usually via a social engineering instruction—the attachment downloads and installs the malware that encrypts the user files. In June 2016, the Necurs botnet released an updated version of Locky containing new detection avoidance techniques.
RoughTed meanwhile is large-scale malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
In the No. 3 spot is Globeimposter, ransomware disguised as a variant of the Globe ransomware. It was discovered in May 2017, and is distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file.
“If any organizations were still in doubt about the seriousness of the ransomware threat, these statistics should make them think twice,” said Maya Horowitz, Threat Intelligence group manager at Check Point. “We’ve got ransomware taking up two of the top three spots—one a relatively new variant that just emerged this year, and the other an older family that has just had a massive reboot. All it takes is for a single employee to be taken in by a social engineering trick, and organizations can be placed in a hugely compromising position.”
Also of note: HackerDefender, a user-mode Rootkit for Windows, which was the third most prevalent malware in August, dropped out of the top 10 altogether.
The most popular malware used to attack organizations’ mobile devices meanwhile was Triada, backdoor for Android which grants superuser privileges to downloaded malware, and helps it to get embedded into system processes. Triada was followed by Hiddad, an Android malware which repackages legitimate apps, and Lotoor, a hack tool that exploits vulnerabilities on Android operating systems in order to gain root privileges on compromised mobile devices.
Check Point’s Global Threat Impact Index is a result of the analysis of more than 11 million malware signatures and over 5.5 million infected websites.