Ransomware Doubles Since July

Written by

The percentage of ransomware attacks doubled during the period July to December 2016, to account for 10.5% of all recognized malware attacks during that time.

According to Check Point’s H2 2016 Global Threat Intelligence Trends report, the Locky ransomware was the most common type. It accounted for 41% of all ransomware attacks. The report also found that Locky was also the No. 5 malware overall (accounting for 4.3% of attacks). Locky started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as a Word or Zip file attachment, which then downloads and installs the malware that encrypts the user files.

Cryptowall was the No. 2 ransomware (27%), and started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.

Cerber was the third-most common ransomware (23%), and represents the world’s biggest ransomware-as-a-service scheme. Cerber is a franchise scheme, with its developer recruiting affiliates who spread the malware for a cut of the profits.

Beyond ransomware, the Conficker worm was the most common (14.5% of all malware attacks), continuing its reign at No. 1. It allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.

Sality was the next-most common (6.1%), a virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.

And, the Cutwail botnet came in at No. 3 (4.6%). Cutwail is mostly involved in sending spam emails, as well as some DDoS attacks. Once installed, the bots connect directly to the C&C server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.

Hummingbad was the leading mobile malware, representing 60% of all attacks between July and December.

What’s hot on Infosecurity Magazine?