The top three malware families in May impacted a quarter of the globe's organizations with zero-day attacks, according to Check Point's latest Global Threat Impact Index.
Fireball struck one in five organizations worldwide, RoughTed hit 16% and WannaCry struck at 8%, said the study from the Check Point Research Team.
The scourge illustrated how cybercriminals are using a wide range of attack vectors to go after every stage of the infection chain, the researchers found.
For example, Fireball usurps browsers and transforms them into zombies. The attackers can then drop additional malware or siphon out credentials.
RoughTed is a large-scale malvertising campaign. Meanwhile, WannaCry takes advantage of EternalBlue, a Windows SMB exploit, and spreads into networks.
There are a number of other variants that made Check Point's Top 10 Malware for May, including Jaff, another ransomware that, the researchers said, illustrated just how profitable this vector is for the miscreants behind the campaigns.
May 2017's Top 10 ‘Most Wanted' Malware:
*The arrows relate to the change in rank compared to the previous month.
- ↑ Fireball – Browser hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
- ↑ Roughted – Large-scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
- ↑ WannaCry – Ransomware which was spread in a large scale attack in May 2017 utilizing a Windows SMB exploit called EternalBlue in order to propagate within and between networks.
- ↓ Slammer – Memory resident worm targeted to attack Microsoft SQL 2000. By propagating rapidly, the worm can cause a denial of service condition on affected targets.
- ↓ HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
- ↓ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
- ↑ Kelihos – Botnet mainly involved in bitcoin theft and spamming. It utilizes peer-to-peer communications, enabling each individual node to act as a Command & Control server
- ↑ Jaff – Ransomware which began being distributed by the Necrus botnet in May 2017.
- ↓ Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
In mobile malware, Hummingbad returned to first place and was closely followed by Hiddad and Triada:
Top 3 ‘Most Wanted' mobile malware:
- Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
- Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
- Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
Ransomware is not going away, the report stated, further pointing out that organizations should be aware that the financial consequences of such attacks extend beyond the initial invasion.
"Restoring key services and repairing reputational damage can be a very long and expensive process," the researchers explained. "Organizations in every industry sector need a multi-layered approach to their cybersecurity."