Talk to our sales

Ask our sales for anything related to our company or services:

The Storm After the Calm

Q3 Threat Summary tracks Locky ransomware, social threats, BEC, and more

The Proofpoint Quarterly Threat Summary captures threats, trends and transformations we see within our customer base and in the wider security market. Each day, we analyze more than 1 billion email messages, hundreds of millions of social media posts, and more than 150 million malware samples to protect organizations from advanced threats. That gives us a unique vantage point from which see data and trends across the entire threat landscape.

We continue to see sophisticated threats across three primary vectors: email, social media and mobile. These threats unfold well outside the network perimeter and conventional cybersecurity tools meant to protect it.

Key Takeaways: The storm after the calm

Cyber threats shifted dramatically in the third quarter, as the relative quiet of the second quarter gave way to explosions in both the volume of campaigns and the variety of threats. Attackers further honed their ability to target attacks and evade conventional cyber defenses. Ransomware came roaring back in record volumes and new forms. At the same time, malware designed to steal bank account credentials surged in highly tailored attack campaigns.

As users continued to flock to social media and mobile devices, attackers followed—often using the two technologies together. Cyber criminals piggybacked off popular brands and apps to trick people into downloading malware and hand over login credentials.

Below are key takeaways from the quarter.

Email and Exploit Kits

  • The volume of malicious email that used JavaScript attachments rose 69% vs. Q2 to their highest levels ever. New campaigns bearing varied attachment types broke volume records set in Q2, peaking at hundreds of millions of messages per day. JavaScript attachments continued to lead these very large email campaigns, with Locky ransomware actors also introducing new file attachment types—likely in attempts to bypass traditional defenses. JavaScript attachments, often disguised as other attachment types, can be confusing to users, making them especially effective in email attacks.

  • Most emails with malicious documents attached featured the popular ransomware strain Locky. Among the billions of messages that used malicious document attachments, 97% featured Locky ransomware, up 28% from Q2 and 64% from Q1, when Locky was discovered. Like other strains of ransomware, Locky encrypts victims’ data, demanding a payment to unlock it.
  • The variety of new ransomware variants grew tenfold over Q4 2015. . The variety of ransomware continued to increase, especially strains delivered by exploit kits (EK). Among these EK-distributed variants, and in smaller email campaigns, CryptXXX remained the dominant ransomware payload, even appearing in a spam campaign. Ransomware can be disruptive and costly, especially as new variants make detection trickier.


  • Cyber criminals continue to hone their techniques in business email compromise (BEC) attacks. In BEC attacks, impostors pose as a high-ranking executive to trick his or her colleagues into wiring money. “Reply-to” spoofing has fallen roughly 30% since early 2016, while “display name” spoofing rose, making up about a third of all BEC attacks.1 The shift shows that attackers continue to evolve and adjust their techniques. None of this has displaced “ordinary” credential phishing, which continues to get more sophisticated. BEC and many phishing attacks do not involve or malicious attachments, relying instead on social engineering, which makes detecting them with conventional security tools especially hard.
  • Banking Trojans diversified and personalized. . After a period of relative quiet, the popular banking Trojan Dridex reemerged in larger campaigns. Dridex, had appeared in smaller-scale and targeted campaigns in Q2. Other banking Trojans such as Ursnif also appeared in highly personalized campaigns totaling tens to hundreds of thousands of messages, a trend that began in Q2 and continued into Q3. At the same time, a wide range of banking Trojans were used in malvertising—malicious code embedded into online ads—or dropped by EKs in other browser-based attacks. These large but highly targeted campaigns are difficult to detect without intelligent protection.
  • Exploit kit activity held steady but remains far below the peaks of 2015. Total observed EK activity fell 65% in Q3 from Q2 and is down 93% from its 2016 high in January, though the slide appears to have leveled off. With once-popular Angler gone, Neutrino gave way to RIG as the dominant EK over the course of Q3. The shift portends a greater number and variety of exploit kits, which could pose a challenge to cybersecurity tools.


  • Pokémon GO-related malware spawned malicious counterfeits. Malware in the form of malicious side-loaded clone apps, dangerous add-ons, and other risky apps grew out of the game’s popularity. Users can download apps from anywhere, and even the major app stores offer only limited screening of apps and updates. That means many users have no way of knowing whether the apps they download are truly secure.
  • Mobile exploit kits and zero-day attacks targeted iOS and Android. Most mobile devices today have 10-20 exploitable zero-day flaws. Roughly 30% of those are serious and could allow attackers to run malicious code on infected devices. Because many devices in the workplace are employee-owned, most enterprises have little visibility into mobile threats in their environment.

Social Media

  • Negative content is up. Negative or potentially damaging content such as spam, adult language, and pornography rose 50% over Q2. When this type of content appears on a brand’s social media account—or one set up by an impostor—customers flee.
  • Social phishing has doubled since Q2. Social media is a breeding ground for credential and financial phishing, where attackers trick social media users into handing over account credentials. Fraudulent accounts—used for a type of attack we call angler phishing—led the way. Because these attacks take place on social media networks, well outside the network parameter and not on enterprise-owned accounts, traditional security tools are blind to them.
  • Cross-pollination between mobile and social takes off. High-profile phenomena such as the Rio Olympics and Pokémon GO created openings to spread mobile malware, including mobile zero-day exploits, over social media. Traditional security tools have little visibility into either channel.


Proofpoint Recommendations

Based on the developments in the threat landscape detailed in this report, we recommend the following to protect yourself against the latest attacks:

  • Preventing ransomware infections at the email and network gateways remains the best strategy for reducing costs and ensuring business continuity. Ransomware variants that do not rely on communication to C&C servers can evade network and endpoint-based solutions that focus detection on attempts to communicate with malicious IPs. Use security solutions that can share intelligence across various attack vectors (email, network, endpoint, and so on). Focus on catching threats before they enter your network and reach people.
  • Ransomware also has a people and process component that technology alone cannot solve. The large volume of ransomware-dominated email campaigns makes it doubly important to regularly back up your organization’s data. IT and security departments should also have a plan and process in place for restoring data in case of an attack. With ransomware, backing up data is both a prevention and remediation step. So are education and training to recognize and report it.
  • Low-volume, personalized campaigns can be more difficult to detect. Invest in security solutions with predictive and behavioral detection capabilities so similar threats with different hash values can still be recognized and stopped.
  • Be aware of fake, malicious apps piggybacking off popular apps. Never download apps from rogue marketplaces, even if they look like the real thing. Your mobile device can be infected even without jailbreaking the OS.
  • Mobile vulnerabilities are more common than you think. Updating apps to their latest version is always wise. But that alone won’t tell you if you already have a risky or malicious app on your device. Invest in mobile threat defense solutions to scan for compromised apps on devices in your environment and alert you to risky and malicious app behavior.
  • Be aware of risks to your brand through attackers’ use of fraudulent social media sites. Invest in tools that provide visibility into your organization’s social media footprint and alert on fraudulent uses of your brand. Train your people to be mindful of clicking on links on social media sites, especially those advertising downloads to “too good to be true” deals or cashing in on popular trends. Have them always double-check that the social media site they visit is an organization’s official site and not a fraudulent lookalike. Look for clues such as number of followers, verified account badges, and registered domains listed in web links.