Ransomware attacks doubled in H2 2016

Read time 3min 30sec
Ransomware attacks are growing rapidly.
Ransomware attacks are growing rapidly.

Global ransomware attacks doubled during the second half of 2016.

This is according to Israeli-based security solutions vendor Check Point Software Technologies in its H2 2016 Global Threat Intelligence Trends report.

The report highlights the key tactics cyber criminals are using to attack businesses, and gives an overview of the cyber threat landscape in the top malware categories: ransomware, banking and mobile. It is based on threat intelligence data drawn from Check Point's ThreatCloud World Cyber Threat Map between July and December 2016.

The ThreatCloud database identifies millions of malware types daily, and contains more than 250 million addresses analysed for bot discovery, as well as over 11 million malware signatures and 5.5 million infected Web sites.

Out of all recognised malware incidents globally, the percentage of ransomware attacks increased from 5.5% to 10.5% between July and December 2016, says Check Point.

It notes thousands of new ransomware variants were observed in 2016, and in recent months the company witnessed a change in the ransomware landscape, as it became more and more centralised, with a few significant malware families dominating the market and hitting organisations of all sizes.

"The report demonstrates the nature of today's cyber environment, with ransomware attacks growing rapidly," says Doros Hadjizenonos, Check Point SA's country manager.

"This is simply because they work, and generate significant revenues for attackers. Organisations are struggling to effectively counteract the threat - many don't have the right defences in place and may not have educated their staff on how to recognise the signs of a potential ransomware attack in incoming e-mails."

Additionally, Hadjizenonos notes the data demonstrates that a small number of families are responsible for the majority of attacks, while thousands of other malware families are rarely seen.

"Most cyber threats are global and cross-regional, yet the APAC region stands out as its top malware families chart includes five families which do not appear in the other regional charts."

In August 2016, Check Point also discovered the infamous Mirai Botnet - a first of its kind, the Internet of things (IOT) botnet, which attacks vulnerable Internet-enabled digital such as video recorders and surveillance cameras.

The vendor explains the Mirai Botnet turns the devices into bots, using the compromised devices to launch multiple high-volume distributed denial-of-service (DDOS) attacks. It is now clear vulnerable IOT devices are in use in almost every home, and massive DDOS attacks that are based on such will persist, Check Point says.

It adds the most prevalent infection vector used in malicious spam campaigns throughout the second half 2016 was downloaders based on Windows Script engine (WScript). Downloaders written in Javascript and VBScript dominated the mal-spam distribution field, together with similar yet less familiar formats such as JSE, WSF, and VBE.

Security solutions provider Kaspersky Lab notes that in 2016, a huge amount of malicious spam was recorded. The absolute leaders in spam were the Trojan downloaders that download ransomware to a victim's computer, it says.

The most popular were mass spam mailings sent out to infect user computers with the Locky encryptor. However, other ransomware such as Petya, Cryakl and Shade were also widespread.

"2016 saw a variety of changes in spam flows, with an increase in the number of malicious mass mailings containing ransomware being the most significant. Such an extensive use of ransomware may be due to the availability of this sort of malware on the black market," says Darya Gudkova, spam analyst expert at Kaspersky Lab.

"Currently, cyber criminals can not only rent a botnet to send out spam, they can also use so-called ransomware-as-a-service. This means the attacker may not be a hacker in the traditional sense, and may not even know how to code."

See also