Ransomware doubled in H2 2016

Ransomware attacks doubled during the second semester of 2016, increasing from 5.5% to 10.5% of all recognized malware incidents, according to Check Point.

Check Point’s H2 2016 Global Threat Intelligence Trends Report shows the following key trends during the period.

First, there is a monopoly in the ransomware market. Researchers witnessed a change in the ransomware landscape as it became more and more centralized, with a few significant malware families dominating the market and hitting organizations of all sizes.

Second, DDoS attacks done via IoT devices that are in use in almost every home. In August 2016, the infamous Mirai Botnet was discovered, turning devices like
video recorders (DVR) and surveillance cameras (CCTV into bots to launch multiple high-volume DDoS attacks.

Third, new file extensions were used in spam campaigns, with the most prevalent infection vector used in malicious spam campaigns throughout the second half 2016 being downloaders based on Windows Script engine (WScript).

Downloaders written in Javascript (JS) and VBScript (VBS) dominated the mal-spam distribution field, together with similar yet less familiar formats such as JSE, WSF, and VBE.

In the second half of 2016, the top malware was Conficker (14.5% of all incidents). It is worm that allows remote operations and malware download.

Second was Sality (6.1%), a cirus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.

Third was Cutwail (4.6%), a botnet mostly involved in sending spam e-mails, as well as some DDOS attacks. Once installed, the bots connect directly to the command and control server, and receive instructions about the emails they should send.

Fourth was JBossjmx (4.5%), a worm that targets systems having a vulnerable version of JBoss Application Server installed. The malware creates a malicious JSP page on vulnerable systems that executes arbitrary commands.

Fifth was Locky (4.3%), a ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as a Word or Zip file attachment, which then downloads and installs the malware that encrypts the user files.