The share of ransomware attacks as part of the malware sector increased drastically throughout the second half of 2016. Security researchers at Check Point report that the percentage of ransomware attacks went from 5.5% to 10.5% from July to December. The rate of malware distribution has been steadily increasing in the past several years. Over the course of the past year, the focus has shifted to ransomware.
Check Point have been analyzing the malware sector throughout 2016. They noticed that a few trends rose to prominence in the second half of the year.
Monopoly in the ransomware market – a few ransomware families established themselves as leaders. While thousands of new ransomware programs appeared on the scene, a select few dominated over the rest. The positions of the market leaders increased further throughout the second half of 2016.
DDoS attacks via IoT devices – a revolutionary concept was introduced last year. The Mirai botnet, the first ever Internet-of-Things (IoT) botnet, was first spotted in August. This virus attacks digital devices which are connected to the Internet, like video recorders (DVR) and surveillance cameras (CCTV). Mirai turns the targeted devices into botnets and uses them to launch multiple high-volume Distributed Denial of Service (DDoS) attacks. This pattern is expected to persist, as IoT devices are present in most households.
Top malware for the second half of 2016
1. Conficker (14.5%) – the leader in the branch is a worm which enables hackers to conduct remote operations and download malware. A botnet controls the infected device. The cyber criminals send out instructions from a command and control (C&C) server.
2. Sality (6.1%) – this virus aims to give its developers remote control over users’ devices and allow them to install malware. The hacker controlling the program conducts operations of his choosing and downloads malware to the infected machine.
3. Cutwail (4.6%) – the main task of this botnet is to send spam emails. It also conducts DDoS attacks. The botnet connects directly to its command and control server upon being installed. The operators of the C&C server give instructions about the emails the program has to send. The virus keeps a record of its operations, maintains statistics about them, and sends reports about its activity to the hackers.
4. JBossjmx (4.5%) – the name of this virus may sound familiar to you. It is a worm, named after the program it targets. Only systems which use a vulnerable version of the JBoss Application Server are susceptible to this infection. The worm creates a JSP page which executes arbitrary commands. In addition, it opens a backdoor to receive commands from a remote IRC server.
5. Locky (4.3%) – this ransomware was first detected in February 2016. It is spread through a classic propagation vector. The virus travels in spam emails. It hides behind a Word document or a Zip file attachment. The attached file downloads and installs the ransomware which then proceeds to encrypt vulnerable files from the hard drive.
Top ransomware for the second half of 2016
The ransomware division was the most prosperous sector in the malware branch. During the increase from 5.5% to 10.5%, the top tiers were the following:
1. Locky (41%) – the virus went from being ranked third in the first half of 2016 to leading the chart in the second. As it stands, this is the most common ransomware threat today.
2. Cryptowall (27%) – this infection originated as an exact copy of Cryptolocker with a different name. The new build went on to become more successful than the original version and wound up replacing it. Cryptowall is a classic ransomware infection. It works in the same manner as many other viruses of this kind. It uses AES encryption algorithm to lock files and the Tor network to communicate with victims through a C&C server. The propagation vectors for the virus include exploit kits, malvertising, and phishing campaigns.
3. Cerber (9%) – per definition, this program is categorized as RaaS (ransomware-as-a-service) and open source ransomware. It is by far the biggest scheme of this kind. The virus can be modified according to the order of the client. For this reason, Cerber is the ransomware virus with the highest number of modifications.
Maya Horowitz, Threat Intelligence Group Manager at Check Point, addressed the results from the investigation: “The report demonstrates the nature of today’s cyber environment, with ransomware attacks growing rapidly. This is simply because they work, and generate significant revenues for attackers. Organizations are struggling to effectively counteract the threat: many don’t have the right defenses in place, and may not have educated their staff on how to recognize the signs of a potential ransomware attack in incoming emails.”
“Additionally, our data demonstrates that a small number of families are responsible for the majority of attacks, while thousands of other malware families are rarely seen,” Horowitz noted. “Most cyber threats are global and cross-regional, yet the APAC region stands out, as its Top Malware Families chart includes 5 families which do not appear in the other regional charts.”
Top mobile malware for the second half of 2016
1. Hummingbad (60%) – the indisputable leader is a malware program which targets devices, running on Android. The virus introduces a rootkit to the device and installs various rogue applications. Upon making additional modifications, the program installs a key-logger which steals credentials and bypasses encrypted email containers. The latter task makes it easier for other malware to slide in undetected.
2. Triada (9%) – this program serves as a Modular Backdoor for Android. It gives elevated user privileges. As a result, hackers get the ability to download malware and embed it into system processes.
3. Ztorg (7%) – a Trojan which uses root privileges to download and install applications to the mobile device through background processes. Thus, the user is left oblivious to the activity.
Top banking malware for the second half of 2016
1. Zeus (33%) – a Trojan which only targets the Windows OS. It is used for stealing banking information through man-in-the-browser keystroke logging and form grabbing.
2. Tinba (21%) – this infection is also a Trojan. It steals credentials via web-injects which are activated when the user logs into an online banking account.
3. Ramnit (16%) – another banking Trojan, this program records credentials, FTP passwords, session cookies, and personal data.