Ransomware Attacks Spike Globally in November’s ‘Most Wanted’ Malware List

Ransomware attacks continued to rise worldwide during November, according to the latest monthly Global Threat Index from Check Point’s Threat Intelligence Research Team.   Ransomware attacks using the Locky and Cryptowall variants both increased by 10% in November from the previous month.


The research team found that both the number of active malware families and number of attacks remained close to an all-time high, as the number of attacks on business networks continued to be relentless.  For the first time, the Locky ransomware was the No.1 malware family in the largest amount of countries (34 worldwide) compared to Conficker, which was the top malware in 28 countries, and Cryptowall in 10 countries – highlighting the growing threat posed to corporate networks by ransomware.


Even so, Conficker retained its position as the world’s most prevalent malware, responsible for 15% of recognized attacks because of its wide distribution.  Second-placed Locky, which only started its distribution in February of this year, was responsible for 6% of all attacks and third-placed Sality was responsible for 5% of known attacks. Overall the top ten malware families were responsible for 45% of all known attacks.


The fastest-growing malware observed during November was the Ramnit banking trojan, which entered the top 10 ranking for the first time at No. 6.  It more than doubled its infections, and was mainly seen in Turkey, Brazil, India, Indonesia and the U.S.   Ramnit is used to steal banking credentials, FTP passwords, session cookies and personal data.


For the eighth consecutive month, HummingBad remained the most common malware used to attack mobile devices.



November 2016 World Cyber Threat Map – click image to view the live interactive map

The map displays the risk index globally.  Green = Low Risk   Beige = Medium Risk   Pink = Higher Risk   Red = High Risk   White = Insufficient Data


November’s Top 10 ‘Most Wanted’ Malware

  1. ↔ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  2. ↔ Locky – Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
  3. ↑ Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
  4. ↔ Cutwail – Botnet mostly involved in sending spam e-mails, as well as some DDOS attacks. Once installed, the bots connect directly to the command and control server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.
  5. ↑ Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  6. ↑ Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  7. ↑ Parite – Virus which infects executable files (EXE and SCR) on the infected host and on network drive. It drops a malicious DLL file into the Windows temporary directory which is injected into the explorer.exe process when an infected file is executed.
  8. ↑ Virut – Botnet that is known to be used for cybercrime activities such as DDoS attacks, spam, fraud, data theft, and pay-per-install activities. It spreads through executable file infection (through infected USB sticks and other media), and more recently, through compromised HTML files (thus infecting vulnerable browsers visiting compromised websites)
  9. ↓ Tinba – Banking Trojan which steals the victim’s credentials using web-injects, activated as the users try to login to their bank website.
  10. ↓ HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.


November’s Top 3 mobile malware

  1. ↔ Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  2. ↔ Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  3. ↑ Ztorg – Trojan that uses root privileges to download and install applications on the mobile phone without the user’s knowledge.


Nathan Shuchami, Head of Threat Prevention at Check Point explained: “Ransomware attacks are still growing in volume for a simple reason – they work, and generate significant revenues for the attackers.  Organizations are struggling to effectively counteract the threat posed by this insidious attack form:  many simply don’t have the right defenses in place, and may not have educated staff on how to recognize the signs of a potential ransomware attack in incoming emails.  This of course only makes it even more attractive to criminals.


“Organizations must use advanced threat prevention measures on networks, endpoints and mobile devices to stop malware at the pre-infection stage, such as Check Point’s SandBlast™ Zero-Day Protection, Threat Extraction, and Mobile Threat Prevention solutions, to ensure that they are adequately secured against the latest threats,” added Shuchami.


About the Check Point Threat Index

Check Point’s Threat Index is based on threat intelligence drawn from its ThreatCloud World Cyber Threat Map, which tracks how and where cyberattacks are taking place worldwide in real time.  The Threat Map is powered by Check Point’s ThreatCloudTM intelligence, the largest collaborative network to fight cybercrime, which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, over 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.