Malware activity has ramped up in the second quarter of 2017, according to reports from cyber-security firms Cyren, Check Point, Kaspersky Lab, Proofpoint, and Symantec.

While no company's statistics are or will be the same — as the numbers are gathered based on telemetry from different systems — all reports show an increase of activity during the months of April, May, and June.

Not coincidentally, the biggest rise in activity came from the ransomware category, whose numbers were without doubt boosted by two global outbreaks — WannaCry and NotPetya.

WannaCry in particular sits atop rankings from Check Point and Kaspersky Lab. NotPetya is ranked lower, but this outbreak was far smaller then the WannaCry attacks, being localized mainly in the Ukraine, and affecting even smaller number of users when compared to day-to-day ransomware operations such as Jaff and Locky, both active in Q2 2017.

Check Point - ransomware
Source: Check Point
Kaspersky ransomware
Source: Kaspersky Lab

The Check Point and Kaspersky charts above relate to global ransomware detections. The chart below, courtesy of Proofpoint, shows ransomware payloads spread via email attachments on a daily basis.

WannaCry and NotPetya did not use email, but as expected, Jaff and Locky were heads above everyone else, mainly because these two ransomware families were spread via Necurs, today's largest spam botnet.

Proofpoint ransomware
Source: Proofpoint

Proofpoint also breaks down malicious email threats based on the category of malware they were carrying. Again, ransomware was by far the favorite payload, followed closely by banking trojans.

Proofpoint email threats per category

Proofpoint email malware per category
Source: Proofpoint

When it comes to overall email threats, in a report provided to Bleeping Computer before publication, Cyren says it detected a 586% rise in malicious email attachments and a 3% rise in generic global email spam.

In an activity report for the month of July 2017, Symantec claims that the upward trend continued, and global spam levels for last month reached the highest since March 2015.

Cyren email threats
Source: Cyren

The rise in malicious email attachments was also recorded and confirmed by fellow cyber-sec firm Proofpoint.

Proofpoint email threats
Source: Proofpoint

As once more expected, Dridex — who is also distributed via the Necurs botnet — was the most prevalent banking trojan spread via malicious emails.

Proofpoint banking trojans email threats
Source: Proofpoint

But when it comes to overall detections, including banking trojans delivered via other methods, Zeus-based strains account for most infections, while Dridex is only sixth, according to Check Point data.

Check Point banking trojans
Source: Check Point

The same Check Point research also includes data for the most popular Android malware. The most prevalent threat is called Hiddad, a basic infostealer and malware downloader for Android devices.

Check Point Android malware
Source: Check Point

Overall, malware detections for both Android and desktop systems were up 57% and 23% respectively, according to Cyren.

Cyren Android malware
Source: Cyren

On the web malware scene, activity was up just like in the other categories. Cyren reports a 16% rise in malware-hosting URLs, and a 13% rise in phishing URLs.

Cyren web malware
Source: Cyren

As for exploit kits, it's already common knowledge among industry professionals that exploit kit activity has continued to go down after the demise of several high-profile actors, such as Angler, Nuclear, Neutrino, and Sundown.

Proofpoint EK timeline
Source: Proofpoint

Nonetheless, the RIG exploit kit has stepped in to fill the void and provide the means for malvertising campaigns such as AdGholas or RoughTed to target users via malicious ads and sneaky drive-by downloads.

Proofpoint eK breakdown
Source: Proofpoint

The fact that exploit kits continue to remain relevant also explains why browsers and web-related plugins remained the favorite target of exploit packages.

Kasperksy Lab exploit breakdown

Below are some of the other key findings recorded in the reports detailing malware activity in Q2 2017.


Ransomware accounted for 68% of all malicious messages containing malware.
Malicious message volume soared 250% vs. the previous quarter.
Dridex is back.
“One-to-one” email fraud attacks surged almost 30% from Q1.
Exploit kit traffic held steady at levels set last year, led by the RIG EK.
EKs spread disruptive ransomware through malicious web ads.
Fake social-media support accounts quadrupled vs. Q1
Attackers are using social engineering to trick users into giving access to their accounts and personal details.

Kaspersky Lab:

1, 319, 148 malicious installation packages.
28, 976 mobile banker Trojans (installation packages).
200, 054 mobile ransomware Trojans (installation packages).
In June, there were three times as many attacked users as in April via SMS spam.
Most prevalent Android malware is Boogr (15%) and Hiddad (4%).
Most mobile malware detections were in Iran (44%) and China (31%).
Fusob remained the top mobile ransomware threat with 20% of all mobile ransomware detections.
Zbot (32%) and Nymaim (26%) were by far the more prevalent banking trojans.
Servers in the US and Netherlands are the primary hosts of malware payloads.
17.26% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.
The countries with the safest online surfing environments included Cuba (5%), Finland (11.32%), Singapore (11.49%), Israel (13.81%) and Japan (7.56%).
On the other side of the spectrum, Algeria (29.15%), Albania (26.57%), and Belarus (25.62%) were considered the countries that faced the greatest risk of infection, mainly due to outdated systems connected to the Internet.

Check Point:

RoughTed was the most active and prevalent malware campaign.
The Fireball adware family ranked second.
The top three ransomware families account for 48% of all attacks.

Article updated with link to Cyren report.

Related Articles:

New Reports Show Increased CyberThreats, User Risks Remain High

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

Ad Clicker Hiding as Google Photos App Found in Microsoft Store