Two thirds of malicious emails in Q2 contained Locky

Security experts monitoring cyber-threats at a global scale have had a strange June. Strangely quiet, to be exact. A new report by security firm Proofpoint, entitled Q2 Threat Summary, describes an 'eerily quiet' month. So, what happened?

The first five months of the year have been marked by malicious email campaigns of 'unprecedented volume'. Locky, a new ransomware variant, was being distributed heavily by Dridex actors, which used various types of files and other techniques to avoid detection. JavaScript dominated.

In Q2, 69 per cent of all malicious emails contained Locky, compared to 24 per cent in Q1 the same year. The number of malicious emails carrying JavaScript attachments jumped 230 per cent, quarter-over-quarter.

'Highly personalised' campaigns were created, at scales of tens, to hundreds of thousands of messages. "This is a change from the much smaller campaigns that have used personalized and targeted lures in the past,” researchers say.

Up to ten million Android devices got infected during this period, by the Angler exploit kit. They targeted ‘multiple vulnerabilities’ which allowed the attackers to take control of the device. In the majority of cases, attackers just downloaded adware and earned themselves some cash.

Social media phishing rose 150 per cent during that time. And then – May draws to a close.

“Then at the end of May, one of the largest botnets in the world - the so-called Necurs botnet - suddenly went dark. The change brought Dridex and Locky distribution to a near halt. At the same time, the hugely popular Angler exploit kit (EK)—an all-in-one toolkit that largely automates web-based cyber-attacks—went silent.”

Researchers are not sure what exactly happened, but they’re calling it ‘relative quiet’, meaning they expect both Angler and Necurs to be back.

Photo Credit: fatmawati achmad zaenuri/Shutterstock