789% year-over-year spike in malware and phishing

An analysis of phishing email campaigns from the first three months of 2016 has seen a 6.3 million increase in raw numbers, due primarily to a ransomware upsurge against the last quarter of 2015. That is a 789% jump.

ransomware upsurge

Proportions of ransomware samples analyzed Q4 2015 and Q1 2016

PhishMe identified three key trends previously recorded throughout 2015, but have come to full fruition in the last few months:

  • Encryption ransomware
  • Soft targeting by functional area
  • Downloader/ransomware: the one-two combination.

“Thus far in 2016, we have recorded an unprecedented rise in encryption ransomware attacks, and we see no signs of this trend abating. Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all faced with the reality that this is now one of the most favored cyber criminal enterprises,” explains Rohyt Belani, CEO of PhishMe.

“Another 2015 trend that emerged into fuller fruition during the first quarter of 2016 is threat actors’ use of soft targeting in phishing. In contrast to both broad distribution and the careful targeting of one or two individuals via spear phishing emails, soft targeting focuses on a category of individuals based on their role within any organization anywhere in the world. Criminals target this subset with content relevant to their role. Such malicious emails are typically accompanied with Microsoft Office documents laden with malware or the ability to download the same,” Belani added.

Towards the end of 2015, PhishMe’s Research team hinted toward the growing prevalence of JavaScript downloader applications as a malware delivery mechanism. During the first three months of 2016, most notably through its prolific use by the distributors of Locky, this prediction did indeed materialize as expected.

“During the first quarter, JavaScript applications even surpassed Office documents with macro scripts to become the most common malicious file type accompanying phishing emails. JSDropper applications were present in nearly one third of all phishing email analyses performed by PhishMe,” says Belani.

Whether threat actors execute encryption ransomware attacks via phishing messages, deliver personalized messages to a functional area of an organization, combine Dridex or Locky with JSDropper or Office documents with macros for delivery, the impact on the victimized organization is significant as they have to expend scarce incident response resources on the clean up effort, manage a potential public relations nightmare, and in some cases even cave in to hacker demands of paying the ransom being demanded.

Belani concludes, “As the frequency and magnitude of such phishing attacks increase, the importance of empowering humans to avoid and report them, and giving incident response teams the ability to rapidly react to such reports has never been more acute.”