‘Locky’ Ransomware Shoots Back Up Global Malware Rankings, says Check Point
October 2017 by Check Point
Check Point® Software Technologies Ltd. has revealed a massive increase in worldwide Locky attacks during September, with the ransomware impacting 11.5% of organizations globally, according to the company’s latest Global Threat Impact Index.
Locky has not appeared in the company’s top ten ‘most wanted’ malware ranking since November 2016, but the ransomware rose sharply to second place in September, powered by the Necurs botnet, which in itself was ranked at number ten in the table. These attacks propelled Locky up 25 places in the index, to sit just behind the RoughTed malvertising campaign.
Locky’s distribution began in February 2016, and it rapidly became one of the world’s most prominent malware families. It spreads primarily via spam emails containing a downloader disguised as a Word or Zip attachment which contains malicious macros. When users activate these macros – usually via a social engineering instruction – the attachment downloads and installs the malware that encrypts the user files. A message directs the user to download the Tor browser and visit a webpage demanding a bitcoin payment. In June 2016, the Necurs botnet released an updated version of Locky containing new detection avoidance techniques.
The resurgence of Locky shows that businesses can never rest on their laurels as far as malware is concerned. Sophisticated cybercriminals will continually seek ways of tweaking existing tools to make them potent again, while powerful botnets can give old variants a new lease of life, enabling them to rapidly target users around the globe. That more than one in ten organizations around the world seemed to be affected by a single ransomware family in September, underlines how existing malware can be just as dangerous as brand-new variants.
September 2017’s Top 3 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
1. ↔ RoughTed - Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
2. ↑ Locky - Ransomware that started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
3. ↓ Globeimposter - Ransomware disguised as a variant of the Globe ransomware. It was discovered in May 2017, and is distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file.
HackerDefender, a user-mode Rootkit for Windows, which was the third most prevalent malware in August, dropped out of the top ten altogether.
The most popular malware used to attack organizations’ mobile devices was Triada which moved up from third place, followed by Hiddad and Lotoor:
Top 3 ‘Most Wanted’ mobile malware:
1. Triada - Modular Backdoor for Android which grants superuser privileges to downloaded malware, and helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
2. Hiddad - Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
3. Lotoor - Hack tool that exploits vulnerabilities on Android operating systems in order to gain root privileges on compromised mobile devices.
“If any organizations were still in doubt about the seriousness of the ransomware threat, these statistics should make them think twice,” added Maya Horowitz, Threat Intelligence, Group Manager at Check Point. “We’ve got ransomware taking up two of the top three spots – one a relatively new variant that just emerged this year, and the other an older family that has just had a massive reboot. All it takes is for a single employee to be taken in by a social engineering trick, and organizations can be placed in a hugely compromising position”.
At Check Point, we believe it is important to deploy a multi-layered cybersecurity strategy that protects against both established malware families as well as brand new, zero-day threats. Effective cyber security tools look for suspicious behaviors or general characteristics, like embedded macros in documents, not just familiar malware signatures – This is the approach taken by SandBlast™ Zero-Day Protection and Mobile Threat Prevention.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network designed to fight cybercrime, and which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites: It identifies millions of malware types daily.