Q2 quieter than Q1 thanks to Angler and Nuclear shutdowns

Jul 28, 2016 12:00 GMT  ·  By

For the last three months, the Locky ransomware has ruled supreme atop all malware families, according to a quarterly report from security vendor Proofpoint.

Locky's dominant position is no surprise to anyone following the infosec sector, this ransomware family being created and distributed by one of the largest cyber-crime syndicates around, the same people behind the Dridex banking trojan, also one of the most commonly encountered malware families.

To understand what happened in Q2, you will need the bigger picture of the entire year. 2016 started with a bang, with Locky first appearing on the scene and slowly gaining more traction with growing numbers each week.

Locky accounted for 69% of all spam malware

This ransomware was spread not only via spam messages but also via exploit kits. Nevertheless, spam was Locky's main method of distribution, either via malicious Office files containing macro scripts or via ZIP files containing malicious JavaScript files.

Spam distribution was at record numbers almost all year, from January to May, with Proofpoint detecting in some periods hundreds of millions of spam messages per day.

Spam numbers took a dive in June, when one of the Dridex gang's main botnets, Necurs, responsible for distributing Locky ransomware, shut down for about three weeks.

Necurs, Angler, and Nuclear shutdowns make Q2 a quiet quarter

About the same time, the Angler exploit kit also closed down, and a month earlier, in May, so did the Nuclear exploit kit.

Necurs did eventually come back online towards the end of June, but these three blows made Q2 a quieter quarter in terms of malware distribution compared to the previous Q1.

Nevertheless, when it was active, the botnet helped Locky win the top spot as Q2's most active malware threat. According to the company's data, Locky dominated spam distribution in Q2, replacing the Dridex trojan as the most popular spam malware, while the CryptXXX ransomware remained the favorite malware spread via exploit kits.

JS file attachments were the most popular spam method

Malicious JavaScript files attached to email spam exploded in terms of popularity, growing 230 percent compared to Q1. Many of today's malware families rely now on this trick, but it was Locky and Dridex that made this distribution method popular.

The Angler and Nuclear exploit kits were more popular than many people thought, and after their shutdowns, traffic to exploit kits went down 96 percent worldwide.

Despite this, Proofpoint also registered a growth in popularity for exploit kits capable of infecting mobile devices. The company reports that over ten million Android devices were compromised this way in Q2 alone.

Overall, Android malware accounted for 98 percent of the entire mobile malware scene, which is curious, since iOS devices are more popular compared to Android, than OX S is to Windows, meaning that the attack surface is wider and crooks should be, in theory, more interested in targeting these devices. Apparently, they weren't.

Malware attacks in 2016
Malware attacks in 2016

Proofpoint Q2 report (4 Images)

Top malware for Q2 2016
Malware attacks in 2016Exploit kit traffic in 2016
+1more