Threat Management, Threat Management

69% of email attacks with malicious attachments in Q2 contained Locky

The first five months of 2016 were dominated by malicious email campaigns, the quick emergence of new ransomware variants, one of the largest botnets in the world went dark, and the Angler exploit kit (EK) went silent—all leading to a strangely quiet June.


Proofpoint has published its quarterly Threat summary, which analyses how these threats shift quarter over quarter by capturing trends and transformation.


JavaScript attachments led an explosion of malicious message volume – 230 percent quarter over quarter. Many Locky and Dridex actors turned to JavaScript files attached to email messages to install payloads, noted as some of the largest campaigns ever observed.


More than two thirds (69 percent) of email attacks using malicious document attachments featured the new Locky ransomware in Q2, versus 24 percent in Q1. Locky took the top spot for email-based malware away from Dridex. CryptXXX appeared on the scene in Q2 and dominated the EK landscape. New ransomware variants grew by a factor of five to six since Q4 2015.


Threat actors conducted highly personalised campaigns at scales of tens to hundreds of thousands of messages, a change from the much smaller campaigns previously using personalised and targeted lures.


Many (80 percent) of a representative sample of Proofpoint customers experienced at least one BEC phishing attack in the last month. Attackers also changed lures based on seasonal events and varied their approaches to increase the effectiveness and scale of the attacks.


Between April and mid-June, exploit kit traffic dropped by 96 percent. The Necurs botnet, one of the largest in the world, went offline in June silencing the Locky and Dridex campaigns defining the first half of 2016. Angler EK traffic disappeared by early June.


By end of June, the first large Locky email campaigns were beginning again with all signs pointing to a return of the Necurs botnet.


Exploit kits targeted multiple vulnerabilities that let attackers take control of 10 million Android devices. The control was mainly used to download adware that generated profits for threat actors.


Holding steady from last quarter, 98 percent of mobile malware is still associated with the Android platform.

Social media phishing attempts grew by 150 percent. Organisations continue to cope with spam, adult content and other issues that overwhelmed their ability to manually fix the issues.


Proofpoint offered several recommendations to protect yourself against the latest attacks:


  • Invest in mail gateway solutions capable of detecting and preventing advanced attacks and those that don't involve malware.

  • Never allow emails with attached executable code to be delivered or people to share code over email.

  • Deploy security solutions that give you visibility into your social media risks and train your people to recognise social media phishing attempts.

  • Deploy security solutions that can correlate activity across threat vectors to block future attacks and more easily detect those that do get through.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.