PandaLabs Q1 2016 report shows ransomware is driving new malware
PandaLabs Q1 2016 report shows ransomware is driving new malware

PandaLabs claims to have identified 227,000 malware samples per day in the first quarter of 2016. The claim, which is contained in the PandaLabs Quarterly Report Q1 2016 is interesting. It shows a modest growth from the same period last year and is just below the average daily number for 2015 as a whole. This suggests that while malware is a serious threat, its growth has slowed. The danger is that this could just be a temporary blip while the next generation of attacks are being developed.

Trojans (66%) top the leaderboard when it comes to new malware samples. PandaLabs attributes this to the growth in ransomware that is now affecting all operating systems and even websites. Second place goes to viruses (16%) followed by worms (11%). The picture is different when looking at the effectiveness of these attacks in terms of infections. Trojans(66%) are still on top but second place goes to Potentially Unwanted Programs (PUPs) with 25.12% of all infections. No other type of malware recorded an infection rate of more than 4%.

Ransomware  getting easier to make money from

There has been significant growth in the tools available to enable hackers to rent ransomware making attacks easier to launch and monetise. The lack of data protection and backups among consumers and businesses has also made this an extremely profitable form of attack. PandaLabs cites the Cloud Security Alliance who say that some companies are willing to pay up to one million dollars to end an attack. For industries such as healthcare this has become a cost of doing business as the potential risk to patients for not paying outweighs the cost of getting machines unlocked. Of course this just encourages more attacks creating a vicious circle.

Over the last year ransomware has moved away from just infecting Windows machines to targeting Linux and Android. There is also at least one proven successful ransomware variant that attacks Apple Macs and iOS.

It would be easy to put the rise in ransomware and trojan infections to lazy users not taking care when surfing the web. The problem with this approach is that the attack vectors are becoming harder to spot. Compromised websites are also a serious infection vector. PandaLabs highlights that hackers have managed to use websites such as The New York Times, BBC, MSN, AOL and others to distribute their malware. They have done this by exploiting zero-day attacks and using malvertising.

Many websites are wholly dependent on advertising revenue to survive. The growth of adblockers has created a problem for those sites which means that they are willing to take almost any advertising in order to keep growing. That means dealing with advertising aggregators many of whom do little to no checks on the adverts enabling hackers to embed malware or redirects to download malware into their adverts.

PUPs a hidden danger waiting to strike

PUPs are an interesting problem. Most of them come bundled with other applications that users legitimately download. An example of this is when you update Java and you are prompted to download Google Chrome. A lot of users will not uncheck the box so the software is downloaded onto their computer. While Oracle does not disclose the commercial relationship between it and Google it does act as a distribution channel for its browser. The danger here for many users is that the software may sit unused for ages and therefore unpatched. This creates an easy target for attackers at a later date.

There are many other ways that PUPs get onto computers and they create a problem in that they utilise resources on the local machine running tasks the user has no control over. Once installed they can also pop up windows asking the user to update the software. With no coherent list tracking which PUPs are malicious and which are just annoying, users have no idea when a PUP update is being used to install malware on their computers. There are a number of attacks that take advantage of this approach.

The most infected countries seeing rates increase

The average number of computers infected in countries has risen sharply from the same period last year. It now stands at 33.32% of all computers in countries. PandaLabs directly attributes this to the rise in ransomware and PUPs.

The rate of infection in countries such as China continues to grow with over 51% of computers believed to be infected with some form of malware. With companies increasingly targeting China as they look for new markets this puts increased pressure on IT staff to ensure that security is constantly updated. Hot on the heels of China is Turkey where 48% of computers have some form of infection. Given the political situation in the country it is likely that this level of infection is partly caused by hacktivists from both sides of the political divide.

While Asia and Latin America are seen as the most infected regions Europe is seen as the best protected region. Protected is, in this context, a fairly loose word. Sweden boasts the lowest infection rate with just under 20% of computers infected and nine of the countries with the least infections are European. The odd one out is Japan with 25% of computers infected.

Reward programs on the rise

There has been an increase in the number of companies willing to use reward programs to help improve their security. PandaLabs calls out the US Defense Department with its Hack the Pentagon program. There has also been a rise in the number of commercial companies publicly talking about the monies they have awarded for the reporting of security breaches. Only a couple of days ago Instagram disclosed it had paid £7,000 to a 10-year-old Finnish boy known only as Jani.

While this approach is paying off for some companies there is also a downside to it. The sums on offer from commercial companies are relatively small compared to the monies on offer from criminal gangs via the Dark Net. There is a lot of concern in the security industry that cash strapped security researchers are playing both sides. Disclosing some attacks to raise their profile while selling others to hackers who then convert them into exploit kits and rent them out for a share of the proceeds.


The rate of malware infections per day might seem high but in fact we are seeing a stabilisation of the rate of infection over the last year. What is more concerning is that an increasing number of attacks are not just using one type of malware but are beginning to combine different types of attack to improve their effectiveness. The use of PUPs that sit around for several months even years and are maintained to make them look safe before the malware code is introduced is beginning to change the security landscape. Having been shown to be effective on mobile devices it is now being used more commonly on other computing devices.

Should we panic? No. What this report shows is what all security teams know already, that malware and security cannot be solved by one-off investments in tools and consultants. The challenge is getting that message through to the boardroom who still seem to struggle with the need to keep investing in security which is beginning to look like a money pit for the business.


Please enter your comment!
Please enter your name here