Malware, Ransomware

Video: Cerber, Locky, Kovter top malware families in 2016: Malwarebytes

Between the constant talk of the U.S. elections being hacked, organizations being hit daily by ransomware and webcams being drafted into botnet armies and used to take down major internet organizations, 2016 was a year for the record books.

Ransomware attacks increased 267 percent in 2016, comprising almost 70 percent of all malware distributed during the year, an amount Malwarebytes called unprecedented in its State of Malware report.

While ransomware certainly stole the show in 2016, it was far from the only tool used by cybercriminals with malvertising, tech support scams and botnets, but the damage done by other types of malware pale in comparison.

According to Malwarebytes' annual State of Malware report, the amount of ransomware spotted between January and November 2016 comprised 68 percent of all exploits and spam payloads with 400 variants being seen in the wild. The now defunct Teslacrypt was the leading culprit for the year, even though it was eliminated as a threat in May when its master key was made public. It was followed by Locky and Cerber, which together managed to do just as much damage during 2016 as Teslacrypt despite getting a late start.

The United States absorbed the most ransomware attacks followed by Germany and Italy.

Top 10 counties impacted by ransomware incidents

1. United States

2. Germany

3. Italy

4. United Kingdom

5. France

6. Australia

7. Canada

8. Spain

9. India

10. Austria


Malwarebytes researchers noted that the absence of one particular large nation from this list says a lot about where many ransomware attacks originate.

 “A country that seems to be missing from this list is Russia. This isn't because Russian citizens,” the report stated, noting that Cerber and Locky both have the odd attribution of not “turning on” if they happen to infect a computer residing in Russia.

“This is a key clue in possible attribution of the groups behind these families as being associated with, if not located in, Eastern Europe. It also reveals why Russia is not on our list of the top most infected countries, despite its large population and accessibility to technology,” the report said.

Geography also played a role in who the bad guys targeted with malware. The report found that 81 percent of ransomware victims in North America were businesses, while consumer suffered the majority, 51 percent, of attacks that took place in Europe.

The company also sees no changes taking place this year with ransomware. It does not expect any new variants to displace Locky or Cerber, but there will be many new types that are put to use by cybercriminals. Malwarebyts said 60 percent of the ransomware variants spotted in the last half of 2016 were less than a year old, a trend it sees continuing.

However, even ransomware had some downtime in 2016 with Malwarebytes noting that Kovter malware also had a good run, although being used to distribute ad fraud and not just acting as downloader for other malicious software. How it is spread also changed moving away from exploit kits and drive by to phishing emails.

“The importance of Kovter being used in this fashion lies in the same reason ransomware has taken off; it provides a source of direct profit for the attackers. Rather than selling password dumps, credit card information and social media accounts to other criminals, having the victim either pay to get their important files back OR utilizing them to defraud the advertising industry are both viable methods of profiting off users directly,” the report stated.

Ad fraud's equally nasty cousin adware also metastasized in 2016 becoming more aggressive and intrusive with one variety, Vonteera, being able to disable anti-virus and other security software.

Adware was also found working in conjunction with tech support scams with the malware implementing a Blue Screen of Death and posting a graphic directing the victim to call a fake tech support center where someone would attempt to rip them off.

In one way adware is even a bigger problem than ransomware. Malwarebytes found that adware comprises 77 percent of all threats striking enterprises worldwide. And while it may not be as malicious as ransomware it still is a costly problem.

“While adware is classified as a Potentially Unwanted Program (PUP), and therefore not considered as much of a threat as ransomware is to businesses, it can still represent a significant cost to the enterprise to remediate the infection or re-image the machine. Adware also creates downtime for employees, who may experience slower computers and pop-up ads that distract users from productivity,” the report stated.

Botnets also raised their ugly head in 2016, most notoriously with the Mirai botnet attacks in late September and October and in a new way by using compromised Internet of Things devices as soldiers in the botnet army. Because so few people lock down their IoT devices by changing the preset password and username they are particularly vulnerable to being recruited into a botnet army.

Malwarebytes has called for manufacturers to help make these devices more secure out of the box, but believes the botnet armies will again be on the offensive in 2017.

To develop the data for the report Malwarebytes studied 100 million corporate and consumer computers located in 200 countries between June and November 2016.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.