Check Point’s latest Global Threat Index has revealed a massive increase in worldwide Locky attacks during September, with the ransomware impacting 11.5% of organizations globally over the course of the month.
Locky has not appeared in our Global Threat Impact Index, which reports on the top ten most prevalent malware attacks globally every month, since November 2016. However, attacks in September were powered by the hefty Necurs botnet, which in itself was ranked at number ten in the table. These attacks shot Locky up 25 places overall, to sit just behind the Roughted malvertising campaign in pole position.
Locky’s distribution began in February 2016, and it rapidly became one of the world’s most prominent malware families. It spreads primarily via spam emails containing a downloader disguised as a Word or Zip attachment, which contains malicious macros. When users activate these macros – usually via a social engineering instruction – the attachment downloads and installs the malware that encrypts the user files. A message directs the user to download the Tor browser and visit a webpage demanding a bitcoin payment. In June 2016, the Necurs botnet released an updated version of Locky, containing new detection avoidance techniques.
This latest resurgence of the Locky ransomware family shows that businesses must remain vigilant to all forms of malware – both brand-new and well-established variants. Sophisticated cybercriminals will continually seek ways of tweaking existing tools to make them potent again, while powerful botnets can give old variants a new lease of life, enabling them to rapidly target users around the globe. To put the Locky statistics into context, more than one in ten organizations around the world were affected by this single ransomware family – a familiar variant that has been known to cybersecurity professionals for over 18 months.
Top 10 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
HackerDefender, a user-mode Rootkit for Windows which was the third most prevalent malware in August, dropped out of the top ten altogether. The most popular malware used to attack organizations’ mobile estates changed from August, with Triada moving up from third place, followed by Hiddad and Gooligan:
Top 3 ‘Most Wanted’ mobile malware:
If any organizations were still in doubt about the seriousness of the ransomware threat, these statistics should make them think twice. Ransomware has taken up two of the top three spots – one a relatively new variant that just emerged this year, and the other an older family that has just had a massive reboot. All it takes is for a single employee to be taken in by a social engineering trick, and organizations can be placed in a hugely compromising position. This is why a multi-layered cybersecurity strategy is so important, one that protects against both established malware families and brand new, zero-day threats. Cybersecurity tools need to look for suspicious behaviors or general characteristics, like embedded macros in documents, not just familiar malware signatures – precisely what tools like our SandBlast™ Zero-Day Protection and Mobile Threat Prevention are designed to do.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.
Check Point’s Threat Prevention Resources are available at: http://www.checkpoint.com/threat-prevention-resources/index.html