Cloudmark’s Security Threat Report for Q1 of 2016 is now live. This quarter we cover:
- Characteristics of and methods used in script-based Locky ransomware attacks
- The Locky family’s explosion onto ransomware scene in Q1 due to aggressive distribution
- A look at the regions most impacted by Locky
- Analysis of Locky attacks sent to Japan, the third most impacted country
- A current look at Nigerian 419 scammers
- Business email compromises phishing for fraudulent wire transfers and W-2 records
The full report can be found here while highlights follow below.
A major focal point of the first quarter was the emergence of a new ransomware family known as Locky, so named for it’s .locky extension. This new form of ransomware was the main culprit for the quarters dramatic rise in ransomware.
Encrypting a long list of extensions including .docx, .pptx, .xlsx, .jpeg, etc. to hold as ransom, Locky attempted to spread via malicious email attachments. These attachments would be used to download a second stage of the attack, the Locky payload. During March, Cloudmark detected actors shifting tactics from malicious macros within Microsoft Word documents to heavily obfuscated script files inside of .zip and .rar archives.
Cloudmark used these indicators to monitor the breadth of attacks over the quarter. The United States, Italy, and portions of the United Kingdom saw the most consistent and prolonged targeting while other nations such as Japan and Norway way saw focus spikes of extremely high attack volumes. An overview of recent Locky attacks can also be found in our latest infographic:
Japan, in particular, received the most dramatic targeting of these attacks. Despite a smaller population, Japan received 1.3 times as many Locky-like messages as the United States during the largest observed spike. This attack was enough that Japan’s levels of spam doubled during this three-day spike when compared to the preceding three-day period. Interestingly, a majority of these messages were sent from within Japan.
Research into modern Nigerian 419 scams suggest that this form of advance-fee fraud remains lucrative, netting millions of dollars in some cases. Analysis of samples detected by Cloudmark reveal that much of the spam does not originate from Nigeria’s IP space. Also, it appears that these “Yahoo Boys” have shifted from their preference for using Yahoo! email address to Outlook and Hotmail.
Finally we recap a rapidly growing and extremely lucrative area of email impersonation attacks. These business email compromise attacks have been successful enough over the past 15 months to steal on average 104 million USD a month from U.S. businesses via fraudulent wire transfers. During the first quarter alone, just two cases alone of BEC wire fraud attacks have been responsible for $76 million and $54 million in loses.
Similarly, this U.S. tax season has seen the rise of BEC attacks attempting to compromise the tax records of entire companies. Used for identity theft and filing fraudulent tax returns for cash, this quarter alone attackers successfully duped over 55 companies into compromising all of their U.S. employees’ W-2 records.
For more information about each of these topics, please find the full report is available here.