If a corporate network suffers a ransomware infection, should it pay the criminals?
If a corporate network suffers a ransomware infection, should it pay the criminals?

Check Point has warned of ransomware's meteoric rise in its latest Global Threat Intelligence Trends report which says that ransomware attacks doubled during the second half of 2016.  

Announced in a press release, the percentage of ransomware attacks increased from 5.5 percent, to 10.5 percent of all recognised malware attacks from July to December 2016.

The most common variants were: Locky (41 percent of all ransomware attacks), Cryptowall (27 percent), and Cerber (23 percent) which also happens to be the world's biggest ransomware-as-a-service scheme. Cerber is a franchise scheme, with its developer recruiting affiliates who spread the malware for a cut of the profits.

The H2 2016 Global Threat Intelligence Trends Report highlights the key tactics cyber-criminals are using to attack businesses, and gives a detailed overview of the cyber-threat landscape in the top malware categories such as ransomware and mobile.

The report is based on threat intelligence data drawn from Check Point's ThreatCloud World Cyber Threat Map between July and December 2016.

Check Point's ThreatCloud is a collaborative network used to fight cyber-crime, delivering up-to-date threat data and cyber-attack trends from a global network of threat sensors.

Check Point says ThreatCloud identifies millions of malware types daily, and contains more than 250 million addresses analysed for bot discovery, as well as over 11 million malware signatures and 5.5 million infected websites.

According to the report, top malware during the second half of 2016 was Conficker (14.5 percent), Sality (6.1 percent), Cutwail (4.6 percent), JBossjmx (4.5 percent), and Locky (4.3 percent).  

Top mobile malware during H2 2016 was Hummingbad (60 percent of all mobile attacks) - Android malware first revealed by Check Point research team that establishes a persistent rootkit on the device, installs fraudulent applications and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.

This was followed by Triada (nine percent) - a modular backdoor for Android, followed by Ztorg (seven percent) – Trojan that uses root privileges to download and install applications on the mobile phone without the user's knowledge.

Check Point researchers highlight a number of key trends during the period, including a monopoly in the ransomware market – thousands of new ransomware variants were observed in 2016, and in recent months it witnessed a change in the ransomware landscape as it became more and more centralised, with a few significant malware families dominating the landscape.

Check Point also warned of new file extensions used in spam campaigns – the most prevalent infection vector used in malicious spam campaigns throughout the second half 2016 was downloaders based on Windows Script engine (WScript). Downloaders written in Javascript (JS) and VBScript (VBS) dominated the mal-spam distribution field, together with similar yet less familiar formats such as JSE, WSF, and VBE.

Maya Horowitz, threat intelligence group manager at Check Point commented: “The report demonstrates the nature of today's cyber-environment, with ransomware attacks growing rapidly. This is simply because they work, and generate significant revenues for attackers. Organisations are struggling to effectively counteract the threat: many don't have the right defences in place, and may not have educated their staff on how to recognise the signs of a potential ransomware attack in incoming emails.

“Additionally our data demonstrates that a small number of families are responsible for the majority of attacks, while thousands of other malware families are rarely seen,” continued Horowitz. “Most cyber-threats are global and cross-regional, yet the APAC region, stands out as its Top Malware Families chart includes five families which do not appear in the other regional charts.”