September’s ‘Most Wanted’ Malware List: Ransomware in Top 3 for First Time

The Check Point Research Team revealed this week that ransomware attacks continued to rise in September. For the first time since the team launched the Threat Index, ransomware moved into the top three position of the most prevalent malware, with the Locky ransomware accounting for 6 percent of all recognized attacks globally during the month. The relative presence of ransomware attacks, within the total number of global attacks, increased by 13 percent. In line with recent trends, the number of active malware families remained high, with three new entries making the top ten, including Chanitor, a downloader for malicious payloads, the Blackhole exploit kit, and Nivdort, a multipurpose bot. For the sixth consecutive month HummingBad remained the most common malware used to attack mobile devices.

Overall, Conficker was the most prominent family accounting for 14 percent of recognized attacks; second placed Sality accounted for 6 percent; and third placed Locky was responsible for 6 percent. In total, the top ten families were responsible for 50 percent of all recognized attacks.



September 2016 World Cyber Threat Map – click image to view the live interactive map
The map displays the risk index globally. Green = Low Risk   Beige = Medium Risk   Pink = Higher Risk   Red = High Risk   White = Insufficient Data


September’s Top 10 ‘Most Wanted’ Malware

  1. ↔ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  2. ↑ Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
  3. Locky – Ransomware that started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
  4. ↔ Cutwail – Botnet mostly involved in sending spam e-mails, as well as some DDoS attacks. Once installed, the bots connect directly to the Command & Control server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.
  5. ↑ Zeus – Trojan that targets Windows platforms and is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
  6. ↑ Chanitor – Downloader used to install malicious payloads (such as banking trojans) on infected machines. Chanitor is usually delivered in Phishing emails with “important” messages such as voicemails, faxes or invoices.
  7. ↑ Tinba – Banking trojan which steals the victim’s credentials using web-injects, activated as the users try to login to their banking website.
  8. Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its Command & Control communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  9. ↑ Blackhole – Exploit kit that incorporates many web browser and plugin security flaws in order to provide hackers with a high probability of successful exploitation and malware delivery.
  10. ↑ Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.


September’s Top 3 ‘Most Wanted’ Mobile Malware

Mobile malware families continued to pose a significant threat to businesses mobile devices during September. The top three mobile families include:

  1. HummingBad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications and enables additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  1. ↑Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, and helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  1. ↓ Ztorg – Trojan that uses root privileges to download and install applications on the mobile phone without the user’s knowledge.


About the Check Point Threat Index

Check Point’s Threat Index is based on threat intelligence drawn from its ThreatCloud World Cyber Threat Map, which tracks how and where cyberattacks are taking place worldwide in real time.  The Threat Map is powered by Check Point’s ThreatCloudTM intelligence, the largest collaborative network to fight cybercrime, which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, over 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.