January 19, 2017
Locky ransomware attacks have dramatically decreased during December 2016, according to Check Point.
Locky, which uses massive spam campaigns as a major distribution vector, only surfaced in 2016 but has rapidly become one of the most popular tools for cybercriminals, part of a growing trend for ransomware cyberattacks that encrypt data on the target machine and demand payment in return for decrypting it.
In December, researchers recorded an 81% drop in the average number of Locky infections per week, compared with the weekly averages of October and November causing it to drop out of the top 10 global malware families for the first time since June 2016.
Overall, they tracked an 8% decrease in the number of recognized malware attacks on organizations in December, which could be attributed to a Christmas holiday slowdown. A similar decrease was witnessed last December with 9% fewer attacks than the previous months – with numbers returning to normal levels in January.
Conficker is still king
Globally, Conficker remained the most prevalent malware type, accounting for 10% of all known attacks during the period. It was followed by Nemucod in second place with 5%, and Slammer with 4% of the recognized attacks. Overall, the top ten malware families were responsible for 42% of all known attacks.
1. Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
3. Slammer – Memory resident worm targeted to attack Microsoft SQL 2000. By propagating rapidly, the worm can cause a denial of service condition on affected targets.
Most prevalent mobile malware
Research also revealed the most prevalent mobile malware during December 2016, and once again attacks against Android devices significantly more common than iOS. The top three mobile malware were:
1. Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
2. Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
3. Ztorg – Trojan that uses root privileges to download and install applications on the mobile phone without the user’s knowledge.
Nathan Shuchami, Head of Threat Prevention at Check Point said: “The massive decrease in Locky attacks during December is part of a wider trend which saw malware attacks decrease by around 8% compared to the previous months. Organizations should be under no illusions – this is not a reason to rest on their laurels. The most likely cause genuinely is that cybercriminals have opted to take a Christmas holiday too – perhaps to spend some of the fruits of their labours. Ransomware remains a threat that businesses need to take seriously into 2017.”