Locky Ransomware Becomes Biggest Email-Borne Security Threat

There has been a downward trend in the volume of spam email being sent in recent years. Spam email volume has fallen from between 65% and 71% of total email traffic in 2014 to between 52% and 59% in 2016*; however, while total volume is down, malicious spam email volume is increasing. The latest figures from Proofpoint show a sharp rise in malicious spam email during quarter 2 of 2016. Malicious email volume increased by 230% quarter over quarter.

Locky Ransomware is Now the Biggest Email-Borne Threat

During the first quarter of 2016, the biggest email-borne threat was the Dridex banking Trojan; however, quarter 2 has seen Locky take over number one spot. Locky, which was first discovered in February, has become highly prevalent and is now involved in 69% of email attacks involving malicious attachments. In Q1 Locky was involved in 24% of email-borne attacks on organizations. Both malware variants are delivered via JavaScript files attached to malicious spam email messages.

New ransomware is also being developed at an alarming pace. Since December 2015, ransomware variants have increased between 5 and 6 fold according to the latest quarterly threat report from Proofpoint.

While vast quantities of spam emails are still being sent out at random, highly personalized campaigns are becoming much more common. Previously these tailored spam email campaigns have involved far lower volumes of emails. Now those campaigns involve tens of thousands of email messages.

There was a brief hiatus in Locky spam email campaigns towards the end of May/Start of June; however, activity resumed on June 19 and large campaigns are being conducted once again. Earlier this year, Locky and Dridex were being sent out in spamming campaigns involving hundreds of millions of messages every day. Activity has not resumed at the same levels although malicious spam volume is increasing dramatically.

Given the rise in malicious email volume, email gateway security solutions should be deployed to reduce the risk of malicious emails being delivered to end users. Anti-spam solutions should be configured to block executable files (.exe) and JavaScript files (.js) to reduce the risk of ransomware and malware attacks.

Exploit Kit Activity is on the Increase

Exploit kit activity fell dramatically between April and June. By the middle of June, Angler EK activity had all but stopped. In Q1, Angler was the main exploit kit being used for drive-by downloads. Magnitude EK activity similarly stopped. By the middle of June, EK activity dropped to 96% of pre-April levels. However, Since the middle of June EK activity has increased. Attackers have switched to the Neutrino EK to deliver ransomware and malware. CryptXXX ransomware now dominates the EK landscape.

Proofpoint has also tracked phishing campaigns and reports an increase of 150% in social media phishing attempts during the first six months of 2016, compared to the same period in 2015. BEC attacks on organizations have similarly increased. Proofpoint reported that 80% of its customers had received at least one targeted BEC message in the last 30 days. BEC attacks are also evolving and are now being sent to larger groups of individuals in targeted organizations.

Proofpoint reports that mobile devices are increasingly being attacked by cybercriminals via exploit kits. Proofpoint reports as many as 10 million Android devices were infected with malware during Q2, 2016. Malware is being used to push advertising and install fake apps on devices. In the main, attacks are occurring on devices running Android v5.1 or earlier.

*Statista – Global spam volume as a percentage of total email traffic

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.