Check Point’s latest Global Threat Index reveals that cryptomining malware continues to severely impact organizations


During the month of February, cryptominers affected 42% of organizations around the world, according to Check Point’s Global Threat Index’s monthly Top Ten Most Prevalent Malware.


In February, Coinhive retained its spot as the most prevalent malware with an impact on 20% of organizations worldwide, followed by Cryptoloot in second with 16% and Rig Exploit Kit in third impacting 15% of organizations.


For the first time, Cryptoloot entered the top three in the index. Aiming to compete with Coinhive, Cryptoloot has been trying to corner the cryptomining market by taking less revenue from websites while widening its range of targets. As a result, the variant more than doubled its global impact — from 7% in January to 16% during February.


Over the past four months, cryptomining malware has steadily increased as a threat to organizations, as it continues to prove lucrative for criminals. Besides slowing down PCs and servers, cryptomining malware has the capability of other malicious activities once inside the system. It is critical that organizations have the solutions in place that protect against new, large-scale and fast moving Gen V (5th Generation) cyber-attacks.


February 2018’s Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

  1. ↔ Coinhive – Crypto-Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval.
  2. ↑ Cryptoloot – Crypto-Miner that uses the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency.
  3. ↔ Rig ek – Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer
  4. ↑ JSEcoin – JavaScript miner that can be embedded in websites.
  5. ↓ Roughted – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware.
  6. ↓ Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader.
  7. ↑ Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.
  8. ↓ Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts.
  9. ↑ Virut – Botnet known to be used for cybercrime activities such as DDoS attacks, spam, fraud, data theft, and pay-per-install activities.
  10. ↓ Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

Triada, a modular Backdoor for Android, was the most popular malware used to attack organizations’ mobile estates followed by the Lokibot and Hiddad.


February’s Top 3 ‘Most Wanted’ mobile malware:

  1. Triada –  Modular Backdoor for Android which grants superuser privileges to downloaded malware.
  2. Lokibot – Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone.
  3. Hiddad– Android malware which repackages legitimate apps then releases them to a third-party store.


The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.


Worldwide map of cryptomining malware attacks in the threat landscape

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.



Check Point’s Threat Prevention Resources are available at: