Locky Top Malware Threat for Q2

Friday, July 29, 2016 @ 01:07 PM gHale


Ransomware is continuing its massive growth phase and the top offering in that malware category is Locky, a new report found.

The Locky ransomware family ended up created and distributed by one of the largest cyber-crime syndicates around, the same people behind the Dridex banking Trojan.

RELATED STORIES
Cops, Researchers Fight Ransomware
Another Decrypted Piece of Ransomware
Ransomware Knock Off a Weaker Version
New Ransomware Decrypter Available

This year started with Locky first appearing on the scene and slowly gaining more traction with growing numbers each week, according to a quarterly report from security vendor Proofpoint.

This ransomware spread not only via spam messages but also via exploit kits. Nevertheless, spam was Locky’s main method of distribution, either via malicious Office files containing macro scripts or via ZIP files containing malicious JavaScript files.

Spam distribution was at record numbers almost all year, from January to May, with Proofpoint detecting in some periods hundreds of millions of spam messages per day.

Spam numbers took a dive in June, when one of the Dridex gang’s main botnets, Necurs, responsible for distributing Locky ransomware, shut down for three weeks.

Necurs eventually came back online toward the end of June, which helped quiet the levels of malware distribution compared to the previous quarter.

Nevertheless, when it was active, the botnet helped Locky win the top spot as the second quarter’s most active malware threat. Locky dominated spam distribution in the second quarter, replacing the Dridex Trojan as the most popular spam malware, while the CryptXXX ransomware remained the favorite malware spread via exploit kits, according to the report.

Malicious JavaScript files attached to email spam exploded in terms of popularity, growing 230 percent compared to Q1. Many of today’s malware families rely now on this trick, but it was Locky and Dridex that made this distribution method popular.

The Angler and Nuclear exploit kits, which shut down in June and May respectively, were more popular than many people thought, and after their shutdowns, traffic to exploit kits went down 96 percent worldwide.

Despite this, Proofpoint also registered a growth in popularity for exploit kits capable of infecting mobile devices. The company reports that over ten million Android devices ended up compromised this way in the second quarter alone.

Overall, Android malware accounted for 98 percent of the entire mobile malware scene, the report said.