August’s Top 10 Most Wanted Malware

Today, Check Point revealed that both the number of variants of ransomware and volume of malware attacks were on the rise in August, as the company disclosed the most prevalent malware families attacking organizations’ networks in the period.

During August, the number of active ransomware families grew by 12 percent while the number of detected attempted ransomware attacks increased by 30 percent. Two-thirds of all recognized ransomware families climbed the rankings in August, most of them by at least 100 positions. Check Point believes that the growth in ransomware is a symptom of the relative ease of broadly deploying ransomware once a variant is created, and also of the number of businesses simply paying ransoms to release critical data. This makes it a lucrative and attractive attack vector for cyber-criminals.  For the fifth consecutive month, HummingBad remained the most common malware used to attack mobile devices, but the number of detected incidents fell by more than 50 percent.

Check Point found the number of unique and active malware families had remained similar to previous months, as the use of malware stayed consistently high.  Overall, Conficker was the most prominent family accounting for 14 percent of recognized attacks; second placed JBossjmx accounted for 9 percent; and Sality was responsible for 9 percent, ranking in third place. In total, the top ten families were responsible for 57 percent of all recognized attacks.

August 2016 World Cyber Threat Map – click image to view the live interactive map

The map displays the risk index globally. Green = Low Risk   Beige = Medium Risk   Red = High Risk   White = Insufficient Data

August’s Top 10 “Most Wanted’ Malware

1. ↔ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
2. ↔ JBossjmx – Worm that targets systems having a vulnerable version of JBoss Application Server installed. This Worm exploits the JMX Console vulnerability identified by CVE-2010-0738. The malware creates a malicious JSP page on vulnerable systems that executes arbitrary commands. Moreover, another Backdoor is created that accepts commands from a remote IRC server.
3. ↔ Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
4. ↑ Cutwail – Botnet mostly involved in sending spam emails, as well as some DDoS attacks. Once installed, the bots connect directly to the Command & Control server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.
5. ↑ Locky – Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as a Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
6. ↔ Zeus – Trojan that targets Windows platforms and often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
7. ↑ Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomware to date. Cryptowall is known for its use of AES encryption and for conducting its Command & Control communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
8. ↓ Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
9. ↔ RookieUA – Info Stealer designed to extract user account information such as logins and passwords and send them to a remote server.
10. ↑ Gamarue – Used to download and install new versions of malicious programs, including Trojans and AdWare, on victim computers.

About the Check Point Threat Index

Check Point’s threat index is based on threat intelligence drawn from its ThreatCloud World Cyber Threat Map, which tracks how and where cyberattacks are taking place worldwide in real time.  The Threat Map is powered by Check Point’s ThreatCloud^TM intelligence, the largest collaborative network to fight cybercrime, which delivers threat data and attack trends from a global network of threat sensors.  The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, over 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.