Today's Hottest Threats

Archive-based Ransomware

The figure below indicates that an average of 6,125 spam messages with attached Ransomware archives were daily received into ICSA Labs' spam honeypot during the 28-day ICSA Labs advanced threat defense (ATD) Q4 2017 test cycle.  This amount of archive-based Ransomware was down about 85% compared to the levels seen during the previous quarter.  While levels of archive-based Ransomware during Q4 2017 were far less than that of Q3 2017, and substantially less than the off-the-chart levels observed a year earlier during Q4 2016, the threat from archive-based Ransomware continues to represent a significant malicious threat.  

Average # ZIP Archives/Day


Aside from the daily averages shown in the above figure, it should be noted that the vast majority of the malicious spam email with attached Ransomware archives – over 170,000 – arrived during two days of the Q4 2017 ATD test cycle.  Most likely the malicious emails received over the two-day period were part of the same Ransomware-spam campaign.  After all, although those spam emails contained different 7-Zip files with a variety of VBS scripts, they all downloaded the same Locky Ransomware binary.    

Pulling back the lens, ICSA Labs examined - not just the 28 days of the Q4 2017 ATD test cycle but - all the 7-Zip archives containing malicious scripts received in the ICSA Labs spam honeypot during Q4 2017.  The figure below shows that Q4 2017 once again proved - as was the case in the latter half of Q3 2017 - to be a quarter where the labs’ spam honeypot was filled with malicious 7-Zip archives.


Average # ZIP Archives/Day