August ended with the spike in malware activity we predicted last week to welcome everyone back to school and work. Here is a summary of this week’s FortiGuard Threat Intelligence Brief.
1. Ransomware explodes. Ransomware took off this week, filling nine of our weekly top-ten malware detection list slots. Not only that, but while last week our top five detections list amounted to about 2.5 million attempted ransomware infections, this week the top five totaled over 15.5 million ransomware attempts. That more than a 6X increase in a single week!
Nearly all of these were the Nemucod Trojan, known primarily for its delivery of the Locky ransomware variants. This week, however, the “JS/Nemucod.ASR!tr.dldr” variant was also detected trying to infect about 2.2 million victims with the newer Zepto ransomware (so called because it appends a .zepto extension to the files it encrypts.) Zepto is a new variant of the Locky ransomware that started showing up at the beginning of the summer, and which seems to have started to gain traction with the cybercriminal community.
We have also seen a strong return of some well-known malware. The BackDoor family of Trojans enables a remote attacker to access or send commands to a compromised computer. While it has been around for quite some time, this past week we began detecting a sudden spike in activity. In fact, starting yesterday we have begun monitoring a 50X increase in the volume of BackDoor attacks. At this point it is too early to tell what this means, but we will certainly be tracking the situation and will report back next week if we have new information.
2. Everything needs a place to go. One thing you can be sure of when you see a jump in malware that needs to phone home is that you will also a spike in successful malware traffic headed to a specific command and control server or website. This week we saw a new payload URL for the Locky ransomware family come online around August 23rd, and in less than a day we saw over 800,000 attempts to connect to it. It’s safe to assume that the huge spike in ransomware detections described above is related to this surge in attempts to connect to this URL and others like it.
3. The vulnerability merry-go-round. As we reported last week, the attacks targeting vulnerable Netis devices has continued to decline. However, just yesterday we saw a jump in attacks attempting to exploit vulnerable DLink devices. This attack behavior of hopping from one vulnerability to the next in surges is a reminder of the necessity to constantly review vulnerability updates and perform timely device patching.
If you find this data useful or interesting, we recommend subscribing to our FortiGuard Threat Intelligence Brief, which provides links to more information and a breakdown of the detailed threat research published here each week.