Cofense Email Security

Phishing and Ransomware Threats Soared in Q1 2016

Any hopes, however remote, that 2016 might bring relief from the troubling phishing trends prevalent in 2015 have been conclusively dashed by a thorough analysis of malware threats in the first quarter of this year. Not only has phishing intensified, but it’s also increasingly used to deliver ransomware.

In fact, the findings from the Q1 2016 Malware Review revealed that 93% of the email samples carrying malware analyzed in March actually contained ransomware. The research team analyzed more than 600 threat reports and compared our clients’100 largest phishing email sets from the first three months of 2016 with those of the last quarter of 2015. The team found a 6.3 million increase in raw numbers due primarily to a ransomware upsurge. That is a staggering 789% jump.

Attackers keep refining their tactics, increasingly targeting specific user roles to deliver their payloads. This is called “soft targeting” and differs from broad distribution and spear phishing by honing in on individuals based on their professional roles – and their presumed access to certain types of valuable data. Human resources professionals and hiring managers, financial professionals and sales representatives at industrial companies have become favorite targets.

Ransomware Rise

Attackers use ransomware to encrypt victims’ systems, and then demand ransom to give users back access to their data. The practice escalated in the first quarter and is likely to continue because it gives cybercriminals a reliable source of revenue. Unless victims back up their data regularly, they have no choice but to pay ransom or forgo their data.

Since CryptoLocker’s debut in 2012, ransomware has raked in hundreds of millions of dollars for cybercriminals. Three of the top five malware combinations delivered by JSDropper in the first quarter consisted of ransomware. By the end of the quarter, PhishMe had identified eight distinct encryption ransomware varieties as payloads for phishing emails.

While Locky and TeslaCrypt were on the ascent, CryptoWall was falling out of favor. CryptoWall, which has cost victims an , had accounted for more than 90% of ransomware analyzed in October and November 2015. Other varieties found in the first quarter included Crickle and Troldesh, and a new approach that involves using PowerShell scripting to create ransomware.

Roughly half of all malware analyses performed in March 2016 involved some variety of encryption ransomware, an indication of ifs effectiveness in monetizing cybercrime.

Soft Targeting

There was a significant rise in the frequency and sophistication of soft targeting. Soft targeting emails might include the recipient’s name and job title or deliver content tailored to recipients’ presumed interests. This requires some research by attackers to determine just the right level of specificity to lure victims into opening an infected URL or attachment. Users are more likely to respond to such a message than a blanket email aimed at unspecified recipients.

An especially successful soft targeting tactic over the past year was the “resume” or “job application” email to deliver CryptoWall to human resources and hiring managers. These users typically wouldn’t worry about clicking resume or application attachments, but in this case they would unleash ransomware.

Soft targeting is becoming more sophisticated. For instance, our researchers spotted an increase in low-volume phishing campaigns purporting to deliver an invoice or a quote for services or goods targeted at billing, shipping, or sales positions in an organization.

Even our vice president of finance, Sam Hahn, was soft-targeted with a purportedly overdue invoice. The message had personalized touches such as his first and last name in the greeting, and included a disclaimer with Hahn’s title and company admonishing anyone else who might receive the email to “ignore and erase it.” Hahn quickly spotted the attempted phish and forwarded it to PhishMe analysts.

The email’s specificity creates the impression of a unique message for a specific individual, but our analyses found dozens of similar emails delivered to individuals with the word “finance” in their job titles. As for company information, attackers can readily access sufficient details online to lend credibility to their messages. An unsuspecting user could easily fall for the ruse.

When successful, soft targeting delivers a keylogger or remote access tool to exfiltrate data such as private customer account information, intellectual property or employee records. Cybercriminals can sell this data in the black market for a profit.

The Rise of Locky

PhishMe attributes the staggering ransomware increase primarily to a strain called “Locky” and its distribution through JavaScript downloader applications (JSDropper). JSDropper surpassed Microsoft Office documents with macro scripts for malicious payload delivery.

Threat actors exploit script applications in JavaScript and Visual Basic because of their relative simplicity and widespread use. It takes little technical expertise and effort to leverage cscript.exe and wscript.exe files to execute small script applications within the Windows environment – and the potential number of victims is huge.

Our researchers found Locky more than 100 times from Feb. 16 to the end of the quarter, placing Locky in the third position among all malware types and first in “payload” varieties – those delivered to perform malicious activities such as data theft. The runner-up was TeslaCrypt, which together with Locky, appeared in nearly 200 JSDropper uses during the quarter.

Despite the predilection for JSDropper, Office documents with malware delivery scripting were still used often for Dridex, Neverquest, CryptoWall – and at times even Locky. This means Office documents remain a favorite malware delivery tool.

The Dridex Factor

In February, we uncovered striking similarities between Locky ransomware and the Dridex botnet Trojan, which targets banking and finance. Locky payload URLs closely resembled Dridex naming conventions, indicating a link or some type of collaboration between Dridex and Locky threat actors.

Financial crime toolkit users have branched into ransomware in the past, so this is nothing new. Since Dridex and ransomware use different approaches, cybercriminals can widen their reach by employing both. Dridex collects login credentials and controls victims’ machines, while ransomware is a more passive income-generation method that bypasses requirements to access, capture, process and monetize stolen data.

Whether threat actors use Dridex or Locky, and JSDropper or Office documents with macros for delivery, the effect is the same when they succeed – pain and expense for the victimized organization. As these attacks increase, it’s clear that empowering humans to avoid and report cyber threats has never been more acutely needed.


To download a full copy of the Q1 2016 Malware Review, click here.


Share This Article


We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.