Fireball and WannaCry attacks affected more than 1 in 4 organizations globally – Check Point report


More than one in four organizations globally was affected by the Fireball or WannaCry attacks in May while two of the top three malware families that impacted networks globally were zero-day, previously unseen attacks according to Check Point Software Technologies’ latest Global Threat Impact Index.

Fireball impacted one in five organizations worldwide, with second-placed RoughTed impacting 16% and third-placed WannaCry affecting nearly 8% of organizations globally. These two malware variants, Fireball and WannaCry, rapidly spread worldwide throughout the month of May.

The most prevalent malware highlight the wide range of attack vectors and targets cyber-criminals are utilizing, impacting all stages of the infection chain. Fireball takes over target browsers and turns them into zombies, which it can then use for a wide range of actions including dropping additional malware, or stealing valuable credentials. By contrast, RoughTed is a large-scale malvertising campaign, and WannaCry takes advantage of a Windows SMB exploit called EternalBlue in order to propagate within and between networks. WannaCry was particularly high profile, bringing down a myriad of networks worldwide.

In addition to the top three, there were also other new variants seen within the top ten of the index including Jaff (8th) another form of ransomware, demonstrating how profitable this particular attack vector is proving for malicious parties.

May 2017’s Top 3 ‘Most Wanted’ Malware:

(The arrows (↑) relate to the change in rank compared to the previous month)

  1. Fireball – Browser hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
  2. ↑ RoughTed – Large-scale malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
  3. ↑ WannaCry – Ransomware that was spread in a large scale attack in May 2017 utilizing a Windows SMB exploit called EternalBlue in order to propagate within and between networks.

In mobile malware, Hummingbad returned to the top of the list and was closely followed by Hiddad and Triada:

Top 3 ‘Most Wanted’ mobile malware:

  1. Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  2. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
  3. Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

“To see so many brand-new malware families among the world’s most prevalent cyberattacks this month underlines just how innovative cybercriminals can be, and shows how dangerous it is for organizations to become complacent,” commented Maya Horowitz, Threat Intelligence, Group Manager at Check Point. “Organizations need to remember that the financial impact from cyber- attacks goes way beyond the initial incident. Restoring key services and repairing reputational damage can be a very long and expensive process.  As such, organizations in every industry sector need a multi-layered approach to their cybersecurity.  Our SandBlast™ Zero-Day Protection and Mobile Threat Prevention, for example, protect against the widest range of continually evolving attack types, and also protect against zero-day malware variants.”

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, a collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

(The complete list of the top 10 malware families in May can be found on the Check Point Blog).