Malicious JavaScript takes a break after an “explosive” quarter of growth for ransomware

Even cybercriminals need to slow down every so often.

The latest quarterly threat summary from Proofpoint Inc. found that there was actually some calm after the storm by the time June rolled around, following some mounting threat activity in the preceding months.

“Attackers like to take breaks some times,” said Patrick Wheeler, director of threat intelligence at Proofpoint. According to the report, the first five months of the year were dominated by malicious email campaigns of unprecedented volume, and new ransomware variants emerged quickly. In addition, Dridex actors were distributing Locky ransomware and repeatedly shifted tactics with new loaders, document attachment types, and new techniques to evade detection.

But suddenly, there was a lull. At the end of May, one of the largest botnets in the world suddenly went dark, and this brought the Dridex and Locky distribution to a near halt. At the same time, the hugely popular Angler exploit kit — an all-in-one toolkit that largely automates web-based cyber attacks — also went silent. In fact, exploit kit traffic observed by Proofpoint dropped by 96 per cent between April and mid-June.

That meant the beginning of the summer was eerily quiet, said Wheeler, but it’s important to realize how busy cyber criminals have been from the beginning of 2016 up until this point. For example, JavaScript attachments led an explosion of malicious message volume – a whopping 230 per quarter over quarter. Many Locky and Dridex actors turned to JavaScript files attached to email messages to install payloads, he said. “These attacks were among the largest campaigns we have ever observed, peaking at hundreds of millions of messages a day.”

Ransomware remains a major threat, according to the report. While Locky dominated email, CryptXXX dominated EK traffic. Among email attacks that used malicious document attachments, 69 per cent featured the new Locky ransomware in Q2, compared to 24 per cent in Q1. Wheeler described the ransomware growth in this quarter as “explosive.” Overall, the number of new ransomware variants grew by a factor of 5 to 6 since Q4 2015.

The reason malicious JavaScript attachments and ransomware are flourishing, said Wheeler, is because they work. “They’re effective and they’re profitable.” He said all research points to the fact that attackers have become really good at leverage social engineering for their campaigns. “The emails and messages themselves are realistic looking,” he said. “Someone will always click.”

That’s why the lull in June should not be taken as a sign that enterprises can get complacent. “In general, when you see a new technique take off it’s because it’s working well.” Wheeler said it’s still important to have solutions in place that don’t just look into signature- based attacks.

Given the sheer volume of attacks coming through email, Proofpoint recommends investing in mail gateway solutions capable of detecting and preventing advanced attacks and those that do not involve malware to help minimize the number of threats coming into the network. Once these threats are in the network, malware and malicious traffic may be more difficult to detect and distinguish from legitimate business traffic.

Another interesting takeaway from Proofpoint’s quarterly report was that as many as 10 million Android devices were infected by a mobile exploit kit targeting multiple vulnerabilities to compromise devices, install fake apps, and push advertising to users without their consent. In particular, Proofpoint saw apps that used a “cocktail” approach, blending multiple vulnerabilities, each capable of taking over a device, to compromise as many versions of devices as possible.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Gary Hilson
Gary Hilson
Gary Hilson is a Toronto-based freelance writer who has written thousands of words for print and pixel in publications across North America. His areas of interest and expertise include software, enterprise and networking technology, memory systems, green energy, sustainable transportation, and research and education. His articles have been published by EE Times, SolarEnergy.Net, Network Computing, InformationWeek, Computing Canada, Computer Dealer News, Toronto Business Times and the Ottawa Citizen, among others.

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now