September’s Most Wanted Malware: Locky Shoots Back Up Global Rankings

Check Point’s latest Global Threat Index has revealed a massive increase in worldwide Locky attacks during September, with the ransomware impacting 11.5% of organizations globally over the course of the month.

Locky has not appeared in our Global Threat Impact Index, which reports on the top ten most prevalent malware attacks globally every month, since November 2016. However, attacks in September were powered by the hefty Necurs botnet, which in itself was ranked at number ten in the table. These attacks shot Locky up 25 places overall, to sit just behind the Roughted malvertising campaign in pole position.

Locky’s distribution began in February 2016, and it rapidly became one of the world’s most prominent malware families. It spreads primarily via spam emails containing a downloader disguised as a Word or Zip attachment, which contains malicious macros. When users activate these macros – usually via a social engineering instruction – the attachment downloads and installs the malware that encrypts the user files. A message directs the user to download the Tor browser and visit a webpage demanding a bitcoin payment. In June 2016, the Necurs botnet released an updated version of Locky, containing new detection avoidance techniques.

This latest resurgence of the Locky ransomware family shows that businesses must remain vigilant to all forms of malware – both brand-new and well-established variants. Sophisticated cybercriminals will continually seek ways of tweaking existing tools to make them potent again, while powerful botnets can give old variants a new lease of life, enabling them to rapidly target users around the globe. To put the Locky statistics into context, more than one in ten organizations around the world were affected by this single ransomware family – a familiar variant that has been known to cybersecurity professionals for over 18 months.

Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

1. ↔ Roughted – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
2. ↑ Locky – Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
3. ↓ Globeimposter– Ransomware disguised as a variant of the Globe ransomware. It was discovered in May 2017, and is distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file.
4. ↑ Conficker– Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
5. ↓ Fireball– Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
6. ↔ Pushdo– Trojan used to infect a system and then download the Cutwail spam module and can also be used to install additional third party malware.
7. ↔ Zeus– Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
8. ↑ Rig ek– Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit
9. ↓ Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
10. ↑ Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.

HackerDefender, a user-mode Rootkit for Windows which was the third most prevalent malware in August, dropped out of the top ten altogether. The most popular malware used to attack organizations’ mobile estates changed from August, with Triada moving up from third place, followed by Hiddad and Gooligan:

Top 3 ‘Most Wanted’ mobile malware:

1. Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
2. Hiddad– Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
3. Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.

If any organizations were still in doubt about the seriousness of the ransomware threat, these statistics should make them think twice. Ransomware has taken up two of the top three spots – one a relatively new variant that just emerged this year, and the other an older family that has just had a massive reboot. All it takes is for a single employee to be taken in by a social engineering trick, and organizations can be placed in a hugely compromising position. This is why a multi-layered cybersecurity strategy is so important, one that protects against both established malware families and brand new, zero-day threats. Cybersecurity tools need to look for suspicious behaviors or general characteristics, like embedded macros in documents, not just familiar malware signatures – precisely what tools like our SandBlast™ Zero-Day Protection and Mobile Threat Prevention are designed to do.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html