pixel_dreams - Fotolia

Ransomware doubled in second half of 2016, says Check Point

Check Point identifies the most prevalent ransomware and other malware that organisations should be prioritising based on data from the second half of 2016

Ransomware attacks doubled in the second half of 2016 to 10.5% of all recognised malware attacks, according to a report by security firm Check Point.  

The H2 2016 Global Threat Intelligence Trends Report is based on threat intelligence data drawn from Check Point’s ThreatCloud World Cyber Threat Map between July and December 2016.

The data reveals that the most prevalent malware during the period was the Conficker worm that allows remote operations and malware download, which comprised 14.5% of all attacks in the period.

This was followed by Sality (6.1%), a virus that allows remote operations and downloads of additional malware to infected systems by its operator; Cutwail (4.6%), a botnet mostly involved in sending spam e-mails and distributed denial of service (DDOS) attacks; and JBossjmx (4.5%), a worm that targets systems having a vulnerable version of JBoss Application Server installed.

Locky (4.3%), ransomware that emerged in February 2016, was another prevalent maware during the period. It spreads mainly through spam emails containing a downloader disguised as a Microsoft Word or Zip file attachment, which then downloads and installs the malware that encrypts the user files.

In the second half of 2016, Locky was the most prevalent type of ransomware, comprising 41% of all ransomware attacks and moving up from third position in the first half of the year.

This was followed by Cryptowall (27%), which after the takedown of Cryptolocker, became one of most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its command and control communications over the Tor anonymous network. It is widely distributed through exploit kits, malvertising and phishing campaigns.

In third position was Cerber (23%), which is the world’s biggest ransomware-as-a-service scheme.  Cerber is a franchise scheme, with its developer recruiting affiliates who spread the malware for a cut of the profits.

Top mobile malware

The top mobile malware in the second half of 2016 was Hummingbad, accounting for 60% of all mobile attacks.

The Hummingbad malware is targeted at Android devices and establishes a persistent rootkit on the device before installing fraudulent applications that, with slight modifications, could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.

In second position was Triada (9%), a modular backdoor for Android which grants superuser privileges to downloaded malware, and helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

Third was Ztorg (7%), a Trojan that uses root privileges to download and install applications on the mobile phone without the user’s knowledge.

Leading banking malware

The top banking malware was Zeus (33%), a Trojan that targets Windows platforms and often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.

Second was Tinba (21%), another banking Trojan that steals the victim’s credentials using web-injects, activated as the users try to log in to their bank website.

Third was Ramnit (16%), also a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

Key malware trends

According to the report, Check Point researchers identified three key trends during the second half of 2016, with the first being the monopoly in the ransomware market.

According to Check Point researchers, thousands of new ransomware variants were observed in 2016. In recent months, they witnessed a change in the ransomware landscape as it became more and more centralised, with a few significant malware families dominating the landscape.

The second main trend that emerged was DDoS attacks via IoT devices.

In August 2016, the infamous Mirai botnet was discovered, which attacks vulnerable internet-enabled digital such as video recorders (DVR) and surveillance cameras. It turns them into bots, using the compromised devices to launch multiple high-volume distributed denial of service (DDoS) attacks.

Check Point researchers said it is now clear that vulnerable IoT devices are in use in almost every home, and massive DDoS attacks that are based on exploiting these devices will persist.

The third trend that came to light was the prevalance of new file extensions used in spam campaigns.

The most prevalent infection vector used in malicious spam campaigns throughout the second half 2016 was downloaders based on Windows Script engine (WScript).

Downloaders written in Javascript (JS) and VBScript (VBS) dominated the mal-spam distribution field, together with similar yet less familiar formats such as JSE, WSF, and VBE, the report revealed.

Read more about ransomware

“The report demonstrates the nature of today’s cyber environment, with ransomware attacks growing rapidly,” said Maya Horowitz, threat intelligence group manager at Check Point.

“This is simply because they work, and generate significant revenues for attackers. Organisations are struggling to effectively counteract the threat,” she said.

According to Horowitz, many organisations do not have the right defenses in place, and may not have educated their staff on how to recognise the signs of a potential ransomware attack in incoming emails.

“Additionally our data demonstrates that a small number of families are responsible for the majority of attacks, while thousands of other malware families are rarely seen,” she said.

Read more on Hackers and cybercrime prevention