Malware Takes a Christmas Break in December’s Global Threat Index

Global malware attacks decreased by 8% in December compared with the previous month, with the popular Locky ransomware recording a huge 81% decrease per week, according to the latest monthly Global Threat Index from Check Point’s Threat Intelligence Research Team.

This isn’t an invitation to businesses to sit back and relax, however. Our team predicts that this lull really is due to malicious cybercriminals taking a Christmas break – and, following the same trends last year, when December recorded a 9% drop in the number of malware attacks worldwide, we expect attack volumes to bounce back in January.



The Global Threat Index tracks malware attacks against organizations worldwide, and ranks the top ten malware families in order of prevalence. Locky ransomware, which started its distribution in February 2016 and rapidly rose up the rankings, has gone from being the world’s second most prevalent malware in November to dropping out of the top ten altogether in December. Locky spreads mainly via spam emails containing a downloader disguised as a Word or Zip attachment, which then downloads and installs the malware that encrypts the user files. Many of these emails are spread via massive spam email campaigns – and our global sensors recognized a fall in spam campaigns activity in December too.

Yet again, Conficker retained its position as the world’s most prevalent malware, though it was responsible for about 10% of all malware attacks, compared with 15% in November. In second place, Nemucod, a JavaScript or VBScript downloader which is commonly used to download ransomware variants or other malicious payloads moved up the rankings – this was responsible for 5% of recognized attacks. Nemucod was followed by Slammer in third place with 4% of all attacks, a very old worm that seems to have resurfaced. Overall the top ten malware families were responsible for 42% of all known attacks.

December’s Top 10 ‘Most Wanted’ Malware

  1. ↔ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  2. ↑ Nemucod – JavaScript or VBScript downloader which is commonly used to download ransomware variants or other malicious payloads.
  3. ↑ Slammer – Memory resident worm targeted to attack Microsoft SQL 2000. By propagating rapidly, the worm can cause a denial of service condition on affected targets.
  4. ↑ Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the receipient address encoded in the binary, thus making each file unique.
  5. ↑ RookieUA – Info Stealer designed to extract user account information such as logins and passwords and send them to a remote server.
  6. ↓ Cutwail – Botnet mostly involved in sending spam e-mails, as well as some DDOS attacks. Once installed, the bots connect directly to the command and control server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.
  7. ↓ Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  8. ↓ Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
  9. ↓ Parite – Virus which infects executable files (EXE and SCR) on the infected host and on network drive. It drops a malicious DLL file into the Windows temporary directory which is injected into the explorer.exe process when an infected file is executed.
  10. ↓ Virut – Botnet that is known to be used for cybercrime activities such as DDoS attacks, spam, fraud, data theft, and pay-per-install activities. It spreads through executable file infection (through infected USB sticks and other media), and more recently, through compromised HTML files (thus infecting vulnerable browsers visiting compromised websites)


December’s Top 3 ‘Most Wanted’ Mobile Malware

Check Point’s research also revealed the most prevalent mobile malware during December 2016, and once again attacks against Android devices were significantly more common than iOS. The top three mobile malware were:

  1. ↔ Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  2. ↔ Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware, as it helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  3. ↔ Ztorg – Trojan that uses root privileges to download and install applications on the mobile phone without the user’s knowledge.

We don’t often think about the human faces behind sophisticated, insidious cyberattacks, but we should. Malicious cybercriminals take holidays too, and the decrease in global malware attacks in December follows the same pattern as last year. We fully expect malware attacks to jump up again in the New Year – so rather than resting on their laurels, organizations should be getting their houses in order fast.

Locky was one of the biggest malware success stories of 2016, going from being a brand new ransomware variant in February to second in the global table by November, so we will definitely continue to monitor it with interest in 2017. Time will tell as to whether cybercriminals are moving onto new variants or whether Locky has simply taken a Christmas vacation.

Advanced threat prevention measures are absolutely essential, on mobile devices and endpoints as well as networks themselves. This is why we developed solutions like Check Point’s SandBlast™ Zero-Day Protection, Threat Extraction, and Mobile Threat Prevention solutions, which identify and extract malware at the pre-infection stage.