Malicious JavaScript takes a break after an “explosive” quarter of growth for ransomware


Even cybercriminals need to slow down every so often.

The latest quarterly threat summary from Proofpoint Inc. found that there was actually some calm after the storm by the time June rolled around, following some mounting threat activity in the preceding months.

“Attackers like to take breaks some times,” said Patrick Wheeler, director of threat intelligence at Proofpoint. According to the report, the first five months of the year were dominated by malicious email campaigns of unprecedented volume, and new ransomware variants emerged quickly. In addition, Dridex actors were distributing Locky ransomware and repeatedly shifted tactics with new loaders, document attachment types, and new techniques to evade detection.

But suddenly, there was a lull. At the end of May, one of the largest botnets in the world suddenly went dark, and this brought the Dridex and Locky distribution to a near halt. At the same time, the hugely popular Angler exploit kit — an all-in-one toolkit that largely automates web-based cyber attacks — also went silent. In fact, exploit kit traffic observed by Proofpoint dropped by 96 per cent between April and mid-June.

That meant the beginning of the summer was eerily quiet, said Wheeler, but it’s important to realize how busy cyber criminals have been from the beginning of 2016 up until this point. For example, JavaScript attachments led an explosion of malicious message volume – a whopping 230 per quarter over quarter. Many Locky and Dridex actors turned to JavaScript files attached to email messages to install payloads, he said. “These attacks were among the largest campaigns we have ever observed, peaking at hundreds of millions of messages a day.”

Ransomware remains a major threat, according to the report. While Locky dominated email, CryptXXX dominated EK traffic. Among email attacks that used malicious document attachments, 69 per cent featured the new Locky ransomware in Q2, compared to 24 per cent in Q1. Wheeler described the ransomware growth in this quarter as “explosive.” Overall, the number of new ransomware variants grew by a factor of 5 to 6 since Q4 2015.

The reason malicious JavaScript attachments and ransomware are flourishing, said Wheeler, is because they work. “They’re effective and they’re profitable.” He said all research points to the fact that attackers have become really good at leverage social engineering for their campaigns. “The emails and messages themselves are realistic looking,” he said. “Someone will always click.”

That’s why the lull in June should not be taken as a sign that enterprises can get complacent. “In general, when you see a new technique take off it’s because it’s working well.” Wheeler said it’s still important to have solutions in place that don’t just look into signature- based attacks.

Given the sheer volume of attacks coming through email, Proofpoint recommends investing in mail gateway solutions capable of detecting and preventing advanced attacks and those that do not involve malware to help minimize the number of threats coming into the network. Once these threats are in the network, malware and malicious traffic may be more difficult to detect and distinguish from legitimate business traffic.

Another interesting takeaway from Proofpoint’s quarterly report was that as many as 10 million Android devices were infected by a mobile exploit kit targeting multiple vulnerabilities to compromise devices, install fake apps, and push advertising to users without their consent. In particular, Proofpoint saw apps that used a “cocktail” approach, blending multiple vulnerabilities, each capable of taking over a device, to compromise as many versions of devices as possible.


Please enter your comment!
Please enter your name here