Locky enters the Top 10 most prevalent malware standings

Oct 23, 2016 22:30 GMT  ·  By

According to statistics gathered by Check Point, for the first time ever, ransomware has entered the top 3 of today's most dangerous malware.

While everybody knows how dangerous and devastating a ransomware infection can be, the number of affected victims was regularly low, and never large enough to warrant a spot on the top 10, let alone top 3 most dangerous malware families around.

Things changed this summer and autumn when ransomware infections seem to have gone out of control. The ransomware family that made it into the top 3 is none other than Locky.

Locky's prevalence is no surprise, knowing that it received several updates in the past months and is spread via the massive Necurs botnet, which according to recent statistics gathered by MalwareTech, has over 6 million bots ready to send Locky spam.

Check Point's findings regarding Locky's rise in infections are also corroborated by a recent Proofpoint report released last week, which revealed that Locky accounted for 97 percent of all malicious file attachments spread via spam email.

Below is the full top 10 based on Check Point's data. Only desktop malware is included. The mobile malware top 3 is made up by HummingBad, Triada, and Ztorg.

1. Conficker

Conficker is a worm that targets Windows computers, and it appeared in the fall of 2008. Despite targeting Windows XP in the beginning, the worm evolved.

Current Conficker versions are specialized in spreading from system to system, being an "infection" tool, but they can also download other malware when instructed by their C&C server, steal credentials, and disable security software.

2. Sality

A virus that appeared in the early 2000s - in 2003, more precisely - Sality has the ability to infect computers via different methods and is believed to have originated in Russia.

Sality is a polymorphic piece of malware, one that constantly evolves, is hard to detect, and works by infecting executable files and then downloading more complex malware. Just like Conficker, Sality is controlled via a huge botnet.

3. Locky

A ransomware family that appeared in early 2016 that locks people's files with a currently uncrackable encryption algorithm.

Locky spreads via exploit kits, macro-malware, or via ZIP email attachments that contain JS, WSF, HTA, or LNK files. In most cases, the spam originates from the Necurs botnet, managed by the same crew that spreads the Dridex banking trojan.

4. Cutwail

A botnet created with the Pushdo trojan that first appeared in 2007, used for sending spam email and sometimes for DDoS attack.

The botnet uses a simple star architecture, with the C&C server in the middle, which begs the question why authorities haven't taken it down by now.

5. Zeus

Famous banking trojan that had its source code leaked a few years back. Zeus is also the base for most of today's banking trojans that target desktop users.

Zeus uses man-in-the-browser keystroke logging and form grabbing to steal customer data.

6. Chanitor

Also known as Hancitor or H1N1, Chanitor is a malware dropper, and is merely a stepping stone for other, more potent malware.

Crooks use spam email to spread the trojan, and in most cases, Chanitor infects victims' machines with banking trojans.

7. Tinba

Tinba, also known as Tiny Banker or Zusy, is one of the world's smallest banking trojans, and in the past, it had an appetite for infecting users in Asian countries.

The trojan uses Web injects to compromise browsers and show fake Web pages on top of authentic banking portals.

8. Cryptowall

A ransomware created as a variation of the CryptoLocker family, which lived on after authorities brought down the latter.

Crooks spread Cryptowall mainly via malvertising and phishing campaigns. There's currently no decrypter available that can brute-force or skirt the ransomware's encryption algorithm.

9. Blackhole

An exploit kit created by Dmitry Fedotov, a 29-year-old Russian, currently in a corrective labor colony.

After Fedotov's arrest, the exploit kit was open-sourced and has been passed around from criminal group to criminal group. Once considered the top of the exploit kit market, today the EK is largely unmaintained and less potent than its competitors.

10. Nivdort

Also known as Bayrob, this modular backdoor trojan was developed in 2007 but has recently received a makeover, hence the new spike in activity.

Crooks spread Nivdort via spam and use it to collect passwords, modify system settings and download additional malware.