What a Spring! Proofpoint Q2 Threat Summary Tracks Ransomware, Exploit Kits, and More

July 25, 2016

Overview

The first five months of 2016 were dominated by malicious email campaigns of unprecedented volume. New ransomware variants emerged quickly. Meanwhile, Dridex actors began distributing Locky ransomware and repeatedly shifted tactics with new loaders, document attachment types, and obfuscation techniques to evade detection.

Then at the end of May, one of the largest botnets in the world - the so-called Necurs botnet - suddenly went dark. The change brought Dridex and Locky distribution to a near halt. At the same time, the hugely popular Angler exploit kit (EK)—an all-in-one toolkit that largely automates web-based cyber attacks—went silent. Together, these shifts led to an eerily quiet June.

Even as these changes rippled through the industry, social media threats such as fraudulent customer service accounts continued to proliferate. Mobile threats also targeted multiple vulnerabilities and the mobile space looked increasingly like the desktop space, complete with exploit kits and adware.

Below are key takeaways from the second quarter of 2016.

Key Takeaways

  • JavaScript attachments led an explosion of malicious message volume – 230% quarter over quarter. Many Locky and Dridex actors turned to JavaScript files attached to email messages to install payloads. These attacks were among the largest campaigns we have ever observed, peaking at hundreds of millions of messages a day.
  • Locky dominated email, while CryptXXX dominated EK traffic. Among email attacks that used malicious document attachments, 69% featured the new Locky ransomware in Q2, versus 24% in Q1. That surge propelled Locky into the top spot for email-based malware, displacing Dridex. CryptXXX appeared on the scene in Q2 and quickly dominated the EK landscape. Overall, the number of new ransomware variants (most distributed by EKs) grew by a factor of 5 to 6 since Q4 2015.
  • Threat actors conducted highly personalized campaigns at scales of tens to hundreds of thousands of messages. This is a change from the much smaller campaigns that have used personalized and targeted lures in the past.
  • Business email compromise (BEC) attempts continued to evolve. Attackers changed lures based on seasonal events such as tax reporting. They also varied their approaches to increase the effectiveness and scale of the attacks.
  • EK traffic we observed dropped by 96% between April and mid-June. The Necurs botnet went offline in June, silencing the massive Locky and Dridex campaigns that defined the first half of 2016. Traffic from the Angler EK had completely disappeared by early June, shortly after the Nuclear EK had shuttered operations. That left Neutrino as the top EK by the end of June.
  • By the end of June, the first large Locky email campaigns were beginning again with all signs pointing to a return of the Necurs botnet. It remains to be seen how the EK landscape will shake out over the next quarter.
  • As many as 10 million Android devices were compromised by EKs. The EKs targeted multiple vulnerabilities that let attackers take control of the devices. In most cases this control was used to download adware that generated profits for threat actors.
  • 98% of mobile malware is still associated with the Android platform. This proportion is holding steady from last quarter.
  • Social media phishing attempts rose by 150%. Organizations continued to cope with spam, adult content, and other issues that overwhelmed their ability to resolve the issues manually.

Read the full Q2 Threat Summary.