Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Cloudmark 2016 Q1Security Threat Report

Locky Leads Explosion in Script-based Ransomware Attacks

  • Locky family of Ransomware explodes onto ransomware scene in Q1 due to aggressive distribution
  • Encrypts users' files on any fixed, network, or ram drive, demanding a ransom be paid in BTC
  • Most commonly arrives as a .js file inside a .zip archive attached to a spam message

Ransomware exploded in popularity this past quarter, due largely to the Locky family of ransomware taking position as one of today’s biggest threats. Ransomware is the name given to malware that encrypts files on the victim’s computer and tries to force the victim to pay a ransom for the decryption key in order to recover their files.

Malware that encrypts the victim’s files in order to demand a ransom is not a new concept. However, the gang behind Locky gained recent notoriety due to their aggressive distribution methods.

The Locky family of ransomware is characterized by the .locky extension that it appends to encrypted files on the victim machine. Upon infection, the malware encrypts files on the victim machine covering a long list of extensions including .docx, .pptx, .xlsx, .jpeg, etc. The malware also attempts to encrypt files on connected network shares.

A ransom message similar to the following is displayed on the victim machine.

A typical ransomware message demanding bitcoins for decryption

The victim is instructed to navigate to a website hosted on the TOR (The Onion Router) anonymity network which is personalized to the victim’s individual infection. The criminals use the anonymous TOR to host these pages to protect their cash-out infrastructure. Here the victim receives further instructions on how to pay the ransom, suggestions on where to buy bitcoins, and the bitcoin wallet ID to which the ransom should be sent. The ransom currently ranges from 0.5 - 1.5 Bitcoins which as of writing was approximately $220 - $635 USD.


Cloudmark has consistently observed Locky being distributed in very high volume spam campaigns using malicious email attachments. Initially the malware was observed being distributed using document attachments with an embedded malicious script known as a macro. This attack requires the user to disable the security feature built into most versions of Microsoft Word that disable macro content by default. The purpose of the macro is to download the second stage of the attack, which is the Locky payload.

See below for a screenshot of a malicious document encouraging the victim to lower their security settings by enabling script content. If the user clicks the “Enable Content” button the document will execute the malicious macro script and they will be infected.

Ransomware message prompting user to lower their security settings

The following is a snippet of the malicious macro code embedded in the above document:

An example of a malicious macro embedded in a document

During March 2016, Cloudmark detected the actors shifting tactics and they began to use heavily obfuscated script files inside of .zip and .rar archives. Like the macros used previously, the purpose of the script attachment is to download and execute the second stage of the malware which is the main Locky payload.

The method of using script attachments to download further payloads has been so successful that Cloudmark has observed several other malware families adopting the technique including TeslaCrypt, Gamarue, and Dridex.

Typical Locky Email with Jscript Attachment Inside Zip File

An example phishing email used to distribute ransomware installers in attachments

Inside the zip file you can see not one, but two malicious .js files, as well as a benign file included as an attempt to pass common Bayesian filters used by many anti-virus and anti- spam venders. Note that the content as well as the archive filenames are often jumbled with random letters and numbers to break any anti-virus signatures based on the file name.

The scripting language used to deliver the payload in this case is JScript. It is a scripting language developed by Microsoft for use in Microsoft Internet Explorer. Scripts written in JScript can also be run natively on the Windows platform using Windows Script Host.

Typical contents of a malicious ransomware zip file attached to a phishing message

If either of the files payment_details_33d4c.js or scanned_doc_14fc92e3.js are opened, the malicious code is activated which will download the Locky Ransomware payload.

JScript attachments can also arrive with a .jse file inside a .zip attachment similar to the following:

A .jse file is sometimes sent in malicious attachments

The .jse in this case contains a script obfuscated with a well-known JavaScript packer:

Cyber criminals often obfuscate their scripts to make them harder to inspect

Ongoing Innovation in Script-Based Attacks

Cloudmark detected some interesting developments in the continuing innovation of script attachment attack vector. Several malicious email campaigns targeting distinctly different geographic segments were observed delivering malware payloads using scripts not normally seen in malware: Windows Script Files. Windows Script Files (.wsf) allow mixing of Jscript, VBScript, and other scripting languages within a single XML formatted file. In these particular attacks, .wsf file attachments containing Jscript code were used to download the second stage of the malware. A closer look at one particular .wsf campaign follows.

A malicious .wsf Script Attachment:

Windows script files are also preferred delivery formats for criminals

Inside the ZIP archive you can see a .wsf file:

An example of a WSF used to install ransomware

On first look at the content of the .wsf file it looks innocent:

However, if we look further down, we see some possibly encoded script content:


After removing all of the commented out junk text we are left with the following:

The malicious .wsf script after all the junk text has been removed

Note: most of the malicious code has been redacted at the "..." for this example.

You will notice that script language is defined as Jscript.Encode. This is noteworthy as the criminals have used Microsoft’s own Script Encoder to encode the script in an effort to hamper reverse engineering and avoid anti-virus detection.

Locky Ransomware: Impact

  • The United States, Italy, and portions of the United Kingdom experienced the most consistent and prolonged targeting
  • The United States was hardest hit by raw volume, receiving 36% of all Locky-like messages
  • Locky-like messages accounted for roughly 48% of Norway’s and 17% of Japan’s spam during a three day spike in March

Historically, malicious email attachments harboring ransomware have maintained a steady, but (relatively speaking) low volume when compared to total volume of all types of spam. During the first quarter, Cloudmark detected a remarkable increase in ransomware-email volume, driven primarily by Locky-like techniques. These Locky-like sending techniques are typified by obfuscated, malicious scripts embedded within various forms of archives such as .zip and .rar files.

While ransomware can be passively encountered via malicious and compromised websites, ransomware spam usually depends heavily on social engineering, e.g. enticing recipients into opening the attachment. This requires attackers to form an enticing and believable pitch and provide an attachment file type that may bypass some spam filters. In the case of the 1Q16 ransomware spam, attackers began with malicious Word docs, but moved to favoring .zip harboring malicious JavaScript followed by .rar attachments in the final days of the quarter.

Malicious attachments with these compressed file types increased dramatically during 1Q16, as can be seen in the chart below1:

Note: this graph includes all .js-in-archive based attacks, including Locky.

The United States was hardest hit by raw volume, receiving 36% of all Locky-like messages. This is not an unexpected observation. Traditionally, the United States is one of the most targeted countries for spam and email malware due to a number of factors including: a larger population, more IP and email address space, economic factors contributing to better return on investment, and sample biases since most vendors have a strong customer presence in the country – Cloudmark included.

The following graphs show the volume distribution of recipient countries for Locky-style script-based attacks.

Italy, Japan, the Netherlands, and Norway are noteworthy members of the top 10 that are not often seen among the hardest hit by malware. Italy and Japans’ high volumes have been confirmed by other vendors2. As we explore later, the presence of Japan and Norway does not appear to be the result of customer-base bias. Both countries have seen significant percentages of spam received using Locky-like methods.

The chart below illustrates the volumes experienced by the aforementioned top ten countries during February and March period. The dependent axes are normalized to a scale of one as raw volume numbers that cannot be published due to customer privacy agreements.

Relative Locky-like Volume per Country Over Time, 16Q1Source: Cloudmark Global Threat Network

The United States, Italy, and portions of the United Kingdom experienced the most consistent prolonged targeting. Interestingly, Japan, the Netherlands, and Norway were much slower to be targeted. Expansion to those countries may be a result of increased competition and over-saturation between attacks as the Locky ransomware became widespread.

In order to help control for the bias introduced by varying customer base sizes in each country, we took these Locky volumes as a percent of each country’s total volume of spam. This helps illustrate the impact that the campaign has had in each region.

The following graphs show the difference in proportion of Locky-style script-based attacks as a percentage of all spam for each country during the period:

Most public sources indicate a first-infect date around February 16th, however we see similar activity as early as February 5th. This may be due to the crossover of techniques that Locky shares with similar ransomware such as TeslaCrypt.

Of the numerous coordinated spikes across multiple countries, the most notable were the volume increases experienced by each of the countries between March 22nd - March 24th, 2016. Norway and Japan received the most as a percentage of each countries total amount of spam during the largest peak of these attacks. Locky-like messages accounted for roughly 48% of Norway’s and 17% of Japan’s spam during these three days.

Locky in Japan

  • Despite a smaller population, Japan received 1.3 times as many Locky-like messages as the United States during the largest observed spike
  • This spike contributed to doubling the volume of spam received by Japan when compared to the preceding three days
  • Surprisingly, 64% of Locky-like messages destined for Japan during this three-day spike were sent from within Japan

It was unusual to see the most dramatic spikes in two countries that don’t typically receive the worlds’ highest volumes. To put this in perspective, Japan received 1.3 times as many Locky-like messages as the United States during this three-day deluge. However, the United States received 19 times as much total spam as Japan during those same three days. If the amount of Locky seen were expected to be proportional to the amount of spam, then Japan should have received a nineteenth of the U.S.’s Locky-like volumes. This variation means Japan was 25 times higher than expected, based on U.S. volumes.

This spike contributed to doubling the volume of spam received by Japan when compared to the preceding three days. Seeing such a stark concentration suggests that Japan was intentionally targeted rather than just a member of some larger blanketed attack.

Next, we compared sending patterns of spam during these three days. Many countries received a large portion of their spam from emails within their own country. However, it was surprising to see that 64% of Locky-like messages destined for Japan during this three-day spike were from within Japan.

This is likely to help with deliverability. Being sent within the same country can lend some legitimacy when evaluated by filtering policies and, similarly, being from the recipients own country can help trick the victim in to opening the attachment due to familiarity. We compare this to the top senders of all spam types to Japan and see some interesting differences:

Again, it’s expected to see the majority of spam to come from within the country’s borders. Brazil, the United States, China, and India are also common countries to see as top spammers due to the number of internet users and, in some cases, lax spam laws.

It’s interesting that despite these common countries sending the most spam, Viet Nam sent the second largest amount of Locky-like messages during this spike. Taiwan, Hong Kong, and Estonia are also unusual countries to see among the top 10 countries sending Locky-like messages to Japan. This hints at these countries having a higher concentration of the botnet that is being used to send these attacks.

This also probably also explains the reasoning for targeting Japan and Norway: opportunity. These botnets likely had a large presence of compromised hosts in these two countries. With a greater chance of both successful delivery and infection, the attackers probably sought to focus on leveraging more of this subset for a better return on their investment.

Country Report: Nigeria

  • Nigerian advance-fee scams remain lucrative, with some instances resulting in the millions of dollars
  • Most Nigerian spam does not originate from Nigeria IP addresses
  • Nigerian scammers prefer free mail providers, with Outlook and Hotmail topping the list

Nigerian spammers have long since established themselves as part of internet tradition and lore. Their preferred attack is Advanced-Fee Fraud, commonly called the “419 scam” after the relevant Nigerian criminal code. The scam attempts to trick recipients into sending money to a Nigerian Prince, or other fictitious dignitary, in order for them to unlock a large sum of inheritance or lottery money. Recently, varieties include those promising jobs, investment opportunities, or lucrative government contracts.

These scammers, sometimes called “Yahoo Boys” due to their early affinity towards using Yahoo mail, have not changed their tactics in decades. At least one study theorizes that Yahoo Boys deliberately keep their scams easy to spot for the vast majority of its recipients, so that they only garner responses from the most gullible or naive of victims. There are reports indicating that these scammers are becoming more sophisticated345 and adding malware to their repertoire in order to impersonate and steal identities, but still with the goal of executing a successful 419 scam.

The tactics may be evolving continuously, but the bottom line remains the same: 419 scams are lucrative. Ultrascan6 estimates the annual losses due to these scams total over $10 billion with an upward trend. The average losses per incident are reported to be around $5000, but examples resulting in losses of millions are not uncommon.7

Yet, despite its reputation, Nigeria is a low volume spam sender at 70th worldwide. In 2015, Cloudmark’s Global Threat Network detected 300 times less spam messages originating in Nigeria compared to the United States. Of these, the United States received the lion’s share of Nigeria’s outbound spam at 70%, with Australia a distant second at 5.3%.

However, Nigeria’s spam counts are likely highly underrepresented because spammers in the country have historically relied heavily on foreign free mail providers. This is partly due to the scarcity of IPv4 addresses in their country, with 500 times fewer addresses per capita than the United States. This remains the case today, although today we see a lot more 419 spam being sent from than from Yahoo.

In our analysis, we assumed that 419 scams claiming to be from Nigeria to actually be originating from a spammer in Nigeria. Although it proved difficult to exhaustively enumerate all 419 scams in our data warehouse, we collected a sample of “traditional” 419 scam messages originating from non-Nigerian IP’s using keyword searches for terms such as “Beneficiary” and “Bank of Nigeria”. Using this relatively simple collection method, we found at least as many 419’s sent using free-mail providers as there were outgoing spam messages from Nigerian IP’s.

Business Email Compromise Rises Dramatically in Q1

  • Email impersonation attacks increasingly target businesses, making BEC attacks a lucrative growth area for cybercriminals
  • Losses from BEC wire fraud attacks reported from the FBI rose to an average of $104 million/per month over the last 15 months
  • W-2 tax fraud attackers expanded their tactics from phishing consumers in 2015 to spear phishing business tax records in 2016

The first quarter of 2016 saw a dramatic increase in two types of text-only, email impersonation attacks known collectively as Business Email Compromise (BEC). These two types share similar techniques but focus on two separate pay-offs: wire fund transfers and W-2 tax records. Each attack begins with a simple email, purporting to come from a superior or trusted vendor or colleague, with a straightforward request. No malicious malware or links accompany the email, enabling it to remain undetected by many SEG solutions. Both the FBI8 and the IRS9 report that these attacks are being mounted by organized crime.

BEC Attacks: Wire Fraud

The FBI defines10 the wire fund transfer form of BEC attacks as an impersonation email (pretending to be from CEO, C-suite executive or trusted vendor) requesting a fraudulent wire funds transfer.

Attackers impersonate a company executive and send a (fake) email message to a finance department employee, instructing the worker to wire funds immediately to a given bank account, usually located abroad. The tone of the email is urgent.

The attacks are much easier to craft than a malicious URL or malware attachment but require extensive research. Attackers research prospective targets and craft a brief email, which typically purports to be a request from the CEO (or a CFO).

Infographic: How CEO Wire Fraud Works

Due to the simplicity in executing these attacks, BEC spoofing attacks are one of the fastest growing forms of cyber fraud. By the end of Q1, the FBI reported that BEC attacks had increased 270 percent over the 15-month period from Q1 2015 through March 2016, with attacks escalating during that period.

The number of victims the FBI reported11 in August 2015 was 7,000; by April 4, 2016, the FBI reported12 that the number had more than doubled to 17,642 victims in the span of seven months.

The FBI’s cybercrime group reported that the total financial losses reported from BEC attacks reached $2.3 billion for the period from October 2013 through March 2016, which was a dramatic increase from the $740 million the FBI reported in August 2015 (for the 23-month period from October 2013 through August 2015).

Using these numbers, one can calculate that in the first 23-month period (October 2013 through August 2015), the average reported loss was $32 million per month. During the more recent 15-month period, the average reported loss per month tripled, reaching $104 million per month.13 Clearly, the monetary losses involved in BEC attacks are escalating.

It’s worth noting that of the top five BEC losses reported to date, the two largest reported losses took place in Q1, further underscoring this point.

Q1 2016 Reported BEC Wire Fraud Transfer Losses

  • Crelan Bank, Belgium, $76 million14
  • FACC, Austria, $54 million15

Top 2015 Reported BEC Losses

  • Ubiquiti Networks, San Jose, California, $46 million 16
  • Xoom (owned by Paypal), San Francisco, California, $30 million 17
  • Scoular, Omaha, Nebraska, $17 million 18
Infographic: Rising Costs of Wire Fraud

According to FBI statistics19, it isn’t just the big companies that are losing money to this scam. In Arizona, for instance, most frequently reported business losses were between $25,000 and $75,000.

In addition to FBI reports of increasing numbers of victims and mounting monetary losses, financial institutions are finding themselves enmeshed in the problem when commercial customers and consumers lose money in a BEC. Account holders look to their financial institutions to retrieve funds lost to the cybercriminals, becoming extremely chagrined when they find there is little the bank can do; in most cases the funds are already gone. The FBI states20 that most funds wind up being wired to bank accounts in China.

In this example of an actual BEC email, we have changed the to, from, and domain names for privacy. In the original, it was the actual domain of the company being targeted was used along with names of real employees.

Phishing emails are crafted in order to create urgency for their recipients

In the graphic below, one can see from the Mail-Reply-To that the sender’s true identity is, and any response will be sent to

Both Joe Bloggs and dsmith were real people at the company in question and their information was available on social media. By asking for a “quick reply” and sending at 7:11am, the phisher is possibly hoping to catch the person while they’re checking email on their phone. The goal is to start a conversation and build trust. If the victim replies to this conversation, then they are less likely to question if the conversation is real on future messages in the thread.

The email was injected to the hosting provider via a Webmail script and the domain name – – was purpose-made for the sake of this email. The header was overwritten to prevent “Sent on Behalf of:” from showing up in the email client’s “From:” address view.

A closer look at the headers of a phishing email

A New BEC: W-2 Tax Fraud Attacks

With the growing monetary success of text-only email impersonation attacks, this year saw the rise of a new type of tax fraud attack. This new form targeted enterprise-wide tax records using email impersonation techniques similar to wire fraud BECs by the use of social engineering and email spoofing.

In W-2 email attacks, the prize is W-2 tax returns. With this data, cybercriminals can file fraudulent tax returns before the real employees can. It’s a more cumbersome approach than the wire fraud attacks, but it’s become increasingly popular as it may be more efficient than phishing individual taxpayers.

In previous years, cybercriminals focused on the more traditional email (and SMS) phishing — targeting individuals’ tax returns in 2014, for instance.

While the IRS states21 that phishing attacks on consumers for 2015 returns increased 400 percent, the total numbers were low. In January 2014, the agency reported 254 victim reports for W-2 scams. In January 2015, the IRS reported 1,026 incidents, or a year over year increase of 400%.

In 2015, the total number of reported W-2014 tax scams was 2,748. Figures for 2015 returns have not yet been made available. These numbers may pale in comparison to the number of employees at companies that have been victims of W-2 tax fraud.

As Cloudmark reported in a March 31st blog post22, by the end of the first quarter of 2016, W-2 tax fraud attacks had occurred at more than 55 companies. (Additional reports in April added 9 more organizations to the list.) A wide gamut of sectors have been affected, with targets ranging from education and healthcare to construction and retail.

Major W2 Spear phishing attacks plotted on a map

High tech companies with well secured technology defenses - like Seagate and Snapchat - fell for the “hack the human” impersonation emails, disclosing tax records on thousands of employees. Even Stanford was impacted, with 600 employees’ records stolen when a vendor it used – W2 Express – was compromised.

What's Ahead

Since Business Email Compromise attacks don’t require a large amount of expertise and time to create, attackers will continue to barrage employees with impersonation emails, looking for the companies with weak training or those who lack sufficient spear phishing prevention and detection solutions.

As these attacks escalate, a more concerted response from government and enterprises will result. For now, the cybercriminals are succeeding because many companies do not have sufficient protection and these attacks can be difficult for an individual to identify.


  1. 1 Note: this graph includes all .js-in-archive based attacks, including Locky.
  2. 2 Avast
  3. 3
  4. 4
  5. 5
  6. 6 NOT-FINAL-1.pdf
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13Note: There is no way to eliminate the overlapped 8-month period in 2015 from the FBI stats without additional FBI data which has not been available
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21 Industry-Also-Targeted 
  22. 22

Cloudmark 2016 Q1 Security Threat Report (3.2MB)

back to top

Cloudmark 2016 Q1 Security Threat Report (3.2MB)

Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world's inboxes from wide-scale and targeted email threats.

With more than a decade of experience protecting the world's largest messaging environments, only Cloudmark combines global threat intelligence from a billion subscribers with local behavioral context tracking to deliver instant and predictive defense against data theft and security breaches that result in financial loss and damage to brand and reputation.

Cloudmark protects more than 120 tier-one service providers, including Verizon, Swisscom, Comcast, Cox and NTT, as well as tens of thousands of enterprises.

Site Map  •  Privacy Policy  •  ©2002–2020 Cloudmark, Inc.